General
-
Target
a4ed242cae44c8b0bf982ba536e7f4a4_JaffaCakes118
-
Size
4.3MB
-
Sample
240818-cab5zssapq
-
MD5
a4ed242cae44c8b0bf982ba536e7f4a4
-
SHA1
1468ccf6396f93cdae03b81aed87ea2211b9a4fa
-
SHA256
c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c
-
SHA512
099dfeef428a0a294aea746b37fead0d6e77d8ec21a23ad567630975b1c0cb41e6c3e031879efc10ec1c7adb25473cebbb094492a4a30f79021c44dff925eb58
-
SSDEEP
98304:J1Dvlv8ATz3d3v0UF7MT22iN9BwU1fzu74IalBu7gurBW:JP0ATLdzK22iN9Rte41U7ggW
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
jamesoldd
65.108.20.195:6774
Extracted
redline
ANI
45.142.215.47:27643
Extracted
nullmixer
http://hsiens.xyz/
Extracted
gcleaner
gcl-page.biz
194.145.227.161
Targets
-
-
Target
a4ed242cae44c8b0bf982ba536e7f4a4_JaffaCakes118
-
Size
4.3MB
-
MD5
a4ed242cae44c8b0bf982ba536e7f4a4
-
SHA1
1468ccf6396f93cdae03b81aed87ea2211b9a4fa
-
SHA256
c05dcc1cf5041eb12034132df4ae105c6abccae45e18a11b102f6d8340f68e6c
-
SHA512
099dfeef428a0a294aea746b37fead0d6e77d8ec21a23ad567630975b1c0cb41e6c3e031879efc10ec1c7adb25473cebbb094492a4a30f79021c44dff925eb58
-
SSDEEP
98304:J1Dvlv8ATz3d3v0UF7MT22iN9BwU1fzu74IalBu7gurBW:JP0ATLdzK22iN9Rte41U7ggW
Score10/10-
Detect Fabookie payload
-
Fabookie
Fabookie is facebook account info stealer.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
4.2MB
-
MD5
9f43bed8b556e336e31fffd998ee3c96
-
SHA1
4d7f5c2f94ee2decbffabacf215c96f67b35082c
-
SHA256
39d8e994e92ec6911df5b675ae73f86acb6a27272b40b6caa2f13f3ffc7c10a5
-
SHA512
e28c7bf18f7c9c5ead776afa2eedc4f42717bd53f0b63655543a8f2c85fee8f9972f009b7d5583035267b3b017f0bc139ab8850e8fe3251e989f78facafe62d4
-
SSDEEP
98304:xo/QBfOIwn4pJji/xEFWLHkAtkSLPoBTOi8ogrzTag:xo/qFw4pJjHWjkAWSLoBL8ogryg
Score10/10-
Detect Fabookie payload
-
Fabookie
Fabookie is facebook account info stealer.
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1