fabookie | 4d27b20738d72f05c725b269b3592f91fe1f8d107b2bdf6f1a66101f68c92fc6

General

Target

5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
Size

4.2MB
MD5

5dab6e73afd5e3c7e73b4f5003f8b394
SHA1

70423263f4588db8dc4ad73b1b48eee476da29d3
SHA256

4d27b20738d72f05c725b269b3592f91fe1f8d107b2bdf6f1a66101f68c92fc6
SHA512

fd64e722f7d348573a27c04414454536b3f0fafdb5cfb90fd925f0d114f0c7960bb5d01d3be29fb1cb65491c4d95d0deebebc837f0e976497660a5d8a41f6c46
SSDEEP

98304:0OghJVFG+lTLiUkIo7dkbYtxrETHMU6Lvj9lO6t1IrICgyhg:4VxlTyIk4sUujBQrNj

Score

10^/10

fabookie persistence spyware stealer upx vmprotect

Malware Config

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1484-0-0x0000000000AF0000-0x0000000001214000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2968-10-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/3732-22-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

jfiag_gg.exejfiag_gg.exe

pid	Process
2968	jfiag_gg.exe
3732	jfiag_gg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x00080000000233d0-6.dat	upx
behavioral2/memory/2968-8-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2968-10-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x00080000000233d0-15.dat	upx
behavioral2/memory/3732-16-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3732-22-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1484-0-0x0000000000AF0000-0x0000000001214000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jfiag_gg.exe

pid	Process
3732	jfiag_gg.exe
3732	jfiag_gg.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1484 wrote to memory of 2968	1484	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe	81
PID 1484 wrote to memory of 2968	1484	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe	81
PID 1484 wrote to memory of 2968	1484	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe	81
PID 1484 wrote to memory of 3732	1484	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe	84
PID 1484 wrote to memory of 3732	1484	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe	84
PID 1484 wrote to memory of 3732	1484	5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5dab6e73afd5e3c7e73b4f5003f8b394_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
1KB

MD5
ec0766000b2f53a6cb091a9fcfe68101

SHA1
9eb88dc49fa23b048ca635b5aa16364f6abc29ee

SHA256
7dbeddd1fe35b2e08d1500a155e26173a78bd1d731e4c59986f2d85ed4e2579e

SHA512
1daa3e8614b2bd9e44bf4019f1a4a8b3b02106b3577fb9b35ad6b833bed1772033408e788e0a891fe81f5a5b1c185ea63428ff5f0ccec966eaeba8db0a7a8fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
memory/1484-0-0x0000000000AF0000-0x0000000001214000-memory.dmp

Filesize
7.1MB

Download
memory/2968-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2968-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3732-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3732-22-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads