General

  • Target

    888(life activitied).zip

  • Size

    85.0MB

  • Sample

    240428-zz3esshc34

  • MD5

    a2a01ffb986f3e8a815b12e9f5e97417

  • SHA1

    46f6c589e1234d11f5d2d59e4267dbb6466cf846

  • SHA256

    919b8906dc891e3dec2883b47a3cacbdc304482e2efa1edb44c4a2d641e8e302

  • SHA512

    31580d9631066487b7cf3d8d88cf0491ff4acff5c83efdee36cdc4390a4f2eef1209ef10438a7b10a506113563912ca53849973d7d7b47c02c2db4c22584a5bf

  • SSDEEP

    1572864:zYCWF5RLQqPD05Fq/2t2j0TpqbHF7TS6LQz/DIRVxLtCqHm++FTHlemi:zY5RLQqqYetQtTS6LQovxLtQ71i

Malware Config

Targets

    • Target

      888-RAT [Lifetime Activated]/888-RAT [Lifetime Activated].exe

    • Size

      2.2MB

    • MD5

      a4680e5a5f84ca01a426659d60cf83fb

    • SHA1

      30442fa61f339bba3b60de3938d44681ec49a14c

    • SHA256

      d9974f05d2e0b76f4d8515329473edf6d574a9b9b67361b7b9ab5eaf4bc54932

    • SHA512

      446852177a6b1cdf9e1c16da6e11a07f34de01688917539eb054f5d43b954486fb30897cbd483d9f1c687e92d8ef14ae733dd8c35f6dabab44fb3a9682f54bca

    • SSDEEP

      49152:PdYJMfC7koydmRzCxWO8e89khof23mnijV6WvFw3BAz2tIm0U3Nlf:Oc3vdUEWFvSfdw3rtImTf

    • 888RAT

      888RAT is an Android remote administration tool.

    • Android 888 RAT payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      888-RAT [Lifetime Activated]/data/command-reciever.dat

    • Size

      79.2MB

    • MD5

      e9aa901042053b06723f6e14f95fe3c6

    • SHA1

      f7653cb6fc7c6dd17900abdc7a4307570aca50d6

    • SHA256

      f4023630eddd4ee944149279d641604764e442592d98b9720874c69e02d84fb5

    • SHA512

      272410435e51a59856cd9dcf7bfba852a9d7055a71fff00491ad45eab9025799a97bebfcdcaab787b17c35263edb9e0b36df63cbcf190969092c2f355406a313

    • SSDEEP

      1572864:9+geRT13w3TbMlFaT9re/8v1qrqxXlUcFY3rT4FDfhPMETIuCNBrO:9+r13wmgJr0YlUcFYglfhPYS

    Score
    7/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      888-RAT [Lifetime Activated]/data/user-interface.dat

    • Size

      5.6MB

    • MD5

      b8703418e6c3d1ccd83b8d178ab9f4c9

    • SHA1

      6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

    • SHA256

      d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

    • SHA512

      75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

    • SSDEEP

      98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks