Overview

overview

10

Static

static

3

ef06ab5cd5...18.exe

windows7-x64

10

ef06ab5cd5...18.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef06ab5cd57598acc6b4222249dbe5b4_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240412-d2td1sdg46

  • MD5

    ef06ab5cd57598acc6b4222249dbe5b4

  • SHA1

    97e4d2abceaa96a2a671a86749c61bc0a6a4aefb

  • SHA256

    3675ddb9d16e43fd54dd441f57a0aa0c20ae7b6a85b81f2b867c753c3503934f

  • SHA512

    ffa705ba0f0850bf1dfe76ec4a664ba3fdad6c3533c0cf15eb33f80ca7e74812a905f0a96d28bcf8785eebd0a69874c28bf12bc86b4b42904230fa4c62d1f6e1

  • SSDEEP

    24576:Eg5N+6z3egEPDrLEF4ejyClVmoFdej0ry2tdAWem7e1FB7yYHIwAQyTlCFuxUhqR:Eg/+6zOgELMF4eVpFEiy2trqr75oHHl7

Score
10/10
nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Targets

    • Target

      ef06ab5cd57598acc6b4222249dbe5b4_JaffaCakes118

    • Size

      1.5MB

    • MD5

      ef06ab5cd57598acc6b4222249dbe5b4

    • SHA1

      97e4d2abceaa96a2a671a86749c61bc0a6a4aefb

    • SHA256

      3675ddb9d16e43fd54dd441f57a0aa0c20ae7b6a85b81f2b867c753c3503934f

    • SHA512

      ffa705ba0f0850bf1dfe76ec4a664ba3fdad6c3533c0cf15eb33f80ca7e74812a905f0a96d28bcf8785eebd0a69874c28bf12bc86b4b42904230fa4c62d1f6e1

    • SSDEEP

      24576:Eg5N+6z3egEPDrLEF4ejyClVmoFdej0ry2tdAWem7e1FB7yYHIwAQyTlCFuxUhqR:Eg/+6zOgELMF4eVpFEiy2trqr75oHHl7

    Score
    10/10
    nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      1.5MB

    • MD5

      0d9f7ef9fc85315c134a06c483f0a694

    • SHA1

      9a8f6eb079f6f1c8421a0f78bb5387b061d843b8

    • SHA256

      5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a

    • SHA512

      9f1574b81a80126e606cadb17b9556474f38929ffdb8ccf5ce330ffaa0f83e4f818c885f7c1c3b204b3011b1db4ebcff0ba3e96406878f3e873e7cdc22e703bd

    • SSDEEP

      24576:xcVkKSGXCeomdCFDWHp/7F82Py2nNEPY/RQ5DsvLwcaBhdZIl9mTqUf+HDpFWndF:xcBNCpZgu2PyONEwJ84vLRaBtIl9mTiw

    Score
    10/10
    nullmixersmokeloaderpub6aspackv2backdoordropperevasionspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks