fabookie | a0a31143210c4b5693a2b56ad3dc115a579a8780c054ca264634cf4eb88a396d

General

Target

f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe
Size

4.3MB
MD5

f08eebafc57117e85e90572ac0704bd1
SHA1

ee0a44d28283210110bd43af410e4dcf12559adc
SHA256

a0a31143210c4b5693a2b56ad3dc115a579a8780c054ca264634cf4eb88a396d
SHA512

e26c2b87ea41904842a96e73849151e2f14e5a2588bdbd9a862aead2bbe4587092a82f52d5ccdc0edc7bea7beada70d27d355fde8b71d596dc22db0b36212034
SSDEEP

98304:tB86bvOdNQ+BOgTfI1xEzWgEbFM7g2vSQMfc2NNynzC:86+NpgxcEpglMf9yn

Score

10^/10

fabookie discovery persistence spyware stealer upx vmprotect

Malware Config

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000AB0000-0x00000000011DA000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2128-10-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4612-22-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
2128	jfiag_gg.exe
4612	jfiag_gg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023317-6.dat	upx
behavioral2/memory/2128-7-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2128-10-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x000c000000023317-15.dat	upx
behavioral2/memory/4612-16-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4612-22-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000AB0000-0x00000000011DA000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4612	jfiag_gg.exe
4612	jfiag_gg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2128	2112	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe	84
PID 2112 wrote to memory of 2128	2112	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe	84
PID 2112 wrote to memory of 2128	2112	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe	84
PID 2112 wrote to memory of 4612	2112	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe	88
PID 2112 wrote to memory of 4612	2112	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe	88
PID 2112 wrote to memory of 4612	2112	f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f08eebafc57117e85e90572ac0704bd1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
1KB

MD5
3e393a09cd691dc246438311627f4479

SHA1
362b0a6e39c40cb12a8849b7ac37bae7cd58ae9e

SHA256
6393e6283b017d9a5885fb5da169c856c34dd2ed5e82d3dc0374eb7eba5e5ae2

SHA512
9067927be1521a3d462b7f01ce3dd83ad5398fabc38afb7db6b2371148b47c33362765ffcb7936669f59cec29cfac00cf62b290061e5d02db778e6d018d837aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
memory/2112-0-0x0000000000AB0000-0x00000000011DA000-memory.dmp

Filesize
7.2MB

Download
memory/2128-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2128-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4612-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4612-22-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads