General
-
Target
ea7d5de7982f0a08bff6d8e6f17cf664_JaffaCakes118
-
Size
4.0MB
-
Sample
240409-vpkd1sdb73
-
MD5
ea7d5de7982f0a08bff6d8e6f17cf664
-
SHA1
68c86999e908f4c8e362c2591fd4c8e5907e6410
-
SHA256
ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
-
SHA512
71a6684cb0d6007261eb81ef4936d2233971d501983b4e70a55143458a8581f615bd83208edc09c75ee9552318506ccfe44a7842d26bbcc31334c103a61face6
-
SSDEEP
98304:y1jCOwXLeMP+g2GQ0Y/zDQoKMN3lk60fi+Lw6A:y1jCOwqQ+RGGPVBNOhLw6A
Static task
static1
Behavioral task
behavioral1
Sample
ea7d5de7982f0a08bff6d8e6f17cf664_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea7d5de7982f0a08bff6d8e6f17cf664_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
setup_installer.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.171/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.185
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
pab3
185.215.113.15:61506
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
cryptbot
knurxh28.top
moraku02.top
-
payload_url
http://sargym03.top/download.php?file=lv.exe
Targets
-
-
Target
ea7d5de7982f0a08bff6d8e6f17cf664_JaffaCakes118
-
Size
4.0MB
-
MD5
ea7d5de7982f0a08bff6d8e6f17cf664
-
SHA1
68c86999e908f4c8e362c2591fd4c8e5907e6410
-
SHA256
ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77
-
SHA512
71a6684cb0d6007261eb81ef4936d2233971d501983b4e70a55143458a8581f615bd83208edc09c75ee9552318506ccfe44a7842d26bbcc31334c103a61face6
-
SSDEEP
98304:y1jCOwXLeMP+g2GQ0Y/zDQoKMN3lk60fi+Lw6A:y1jCOwqQ+RGGPVBNOhLw6A
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
setup_installer.exe
-
Size
3.9MB
-
MD5
7ae4349cc7e8c98084c05e2085b56645
-
SHA1
db7a339d5731471435450be094ba711ca7194685
-
SHA256
b89fdf606986324fa9260f434dc1561d716985d0886fba180b88f3afb9dec729
-
SHA512
5196ac4aa9ca69c342fa5a391f011881db608600cbfbfb4ae1391477ec59aa83846c955ed73573a09828b7b574a5a0b07e19871245ac19518c03480b9fc8ec3d
-
SSDEEP
98304:xaCvLUBsgxkKH8DBAPbT7J7go2i2JjQCQ+gHhjPrLi:x7LUCgSKH84zGo2i2Jc1BHi
-
CryptBot payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Vidar Stealer
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1