fabookie | 0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8b

General

Target

0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe
Size

7.8MB
MD5

bdb200d8273ed24b82d573c6a03390d0
SHA1

38c899c550dc2ed7419d68019068a3c5000862db
SHA256

0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8b
SHA512

abf46241aa2470761bc9da8abdc9c4f9409da8baa14e41886a0b8ca6bc2c1ee79af2662dd9f97bc8519a47b2c482ecae40be2468ddb468e3c4733f8e500becba
SSDEEP

196608:4V1FEWiFroH6UWwuSSbUhMu95+AkWDJVMAXuPV+D3jk:0Ko6bU624ApFCAeoDjk

Score

10^/10

fabookie discovery persistence spyware stealer upx

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/memory/320-75-0x0000000000400000-0x00000000004B1000-memory.dmp	family_fabookie
behavioral2/memory/320-84-0x0000000000400000-0x00000000004B1000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3412-63-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/files/0x000200000001e6fc-68.dat	Nirsoft
behavioral2/memory/320-75-0x0000000000400000-0x00000000004B1000-memory.dmp	Nirsoft
behavioral2/memory/320-84-0x0000000000400000-0x00000000004B1000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Data.exe

Executes dropped EXE 5 IoCs

pid	Process
8	Data.exe
3856	id6.exe
320	hjjgaa.exe
3412	jfiag_gg.exe
536	jfiag_gg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d00000001695d-50.dat	upx
behavioral2/memory/320-54-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/files/0x000200000001e6fc-58.dat	upx
behavioral2/memory/3412-60-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3412-63-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/320-75-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral2/memory/320-84-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	hjjgaa.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjjgaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	id6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
536	jfiag_gg.exe
536	jfiag_gg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3856	id6.exe
3856	id6.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 8	4752	0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe	86
PID 4752 wrote to memory of 8	4752	0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe	86
PID 4752 wrote to memory of 8	4752	0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe	86
PID 8 wrote to memory of 3856	8	Data.exe	88
PID 8 wrote to memory of 3856	8	Data.exe	88
PID 8 wrote to memory of 3856	8	Data.exe	88
PID 8 wrote to memory of 320	8	Data.exe	89
PID 8 wrote to memory of 320	8	Data.exe	89
PID 8 wrote to memory of 320	8	Data.exe	89
PID 320 wrote to memory of 3412	320	hjjgaa.exe	90
PID 320 wrote to memory of 3412	320	hjjgaa.exe	90
PID 320 wrote to memory of 3412	320	hjjgaa.exe	90
PID 320 wrote to memory of 536	320	hjjgaa.exe	93
PID 320 wrote to memory of 536	320	hjjgaa.exe	93
PID 320 wrote to memory of 536	320	hjjgaa.exe	93

C:\Users\Admin\AppData\Local\Temp\0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe
"C:\Users\Admin\AppData\Local\Temp\0584f6800c4533fed15172dc1e632f763f109996cbd547322bda14b177b1fe8bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\id6.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\id6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3856
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Data.exe

Filesize
7.8MB

MD5
10c097ea175ce929349cbdbc16906a40

SHA1
b9abe2164f2c737e0c4f491587db74408186c898

SHA256
0d07dc0d524325af5cfb3d03bc1391b4bd531a58f08e5f42e2d22bb62fa30c8b

SHA512
a52450da6bf5ec7f58656f8f3e94fe2e81d24b5777c3c6de9a10b807b01192cbaed61c303941619fb6cc980e9dec7a7f091d3250afd25c012d4f1fbe94a2a03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe

Filesize
374KB

MD5
f1943f33a9c218533c3a5ee74221addd

SHA1
951627588bbd1692886ac90fe1e590324e4e75b5

SHA256
1ce13a8b453a7fb0d5de876c155de43c43ca6cc2ddf1b905709e8f4cd71839cd

SHA512
219b50f7f968cbe02773f5d5a0903436e6093d1058457cbfc228074d7a45c14e2be93598f47c37041e6038017b86a63cf91624660f2ea751c5d262c8469e4b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\id6.exe

Filesize
5.1MB

MD5
7e130016c5a924647f72dc510751e1e8

SHA1
59254a9a739e9e9458df96d39b95261093b4786e

SHA256
34fe9813cb9937132ecc906bcb6ef9fe0263f19cafba64e3eed8b625a93d0e00

SHA512
983727fb44e85cb89d47a80694edd34b081006d26ea4fffcf46ebfc7037267472dd7f23cd21f6b60111e30761a02cd1f259c13dfb0abbfe2653f3843f534e564

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
1KB

MD5
7201b9775c75e8762026541793f303b9

SHA1
890065cdba045a1034772ac1f3e37cb5b3cd693e

SHA256
dc84bea2cf452427a6d930d368ba6f5dd4d5f5f1d68a3b674a7a0c764548a468

SHA512
24de444e38c0e2ce99b7a39e1287510dae6e00cc21692090bc75a37e5162c5d7392ad481f8bc5263b2dcb8ac12e9d61d6cda3b5632611ffffe12e80fec94e55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
memory/320-54-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/320-75-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/320-84-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3412-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3412-60-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3856-42-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads