Extracted

Extracted

• • Target

    15fd29325e11aa1777bdde1e09829784_JaffaCakes118

  • Size

    3.2MB

  • MD5

    15fd29325e11aa1777bdde1e09829784

  • SHA1

    276c234a544054072593fb3b87e2a37f81e4f3c5

  • SHA256

    2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf

  • SHA512

    53a1d60c2e6b679b89effb81da0cc0bce4d26644d5ce190258ce6d9821802bb8aa1f349a61567d4806f19acbcdb34e6a3cb66d72a4a8169223165c7396eda02d

  • SSDEEP

    98304:UbvDpNv9xyFximcWtxL4iZ1XxDLv6BFe6:UoxHcCLn3pLiBFe6

  Score

  10^/10

  ffdroiderprivateloadersocelarsdiscoveryevasionloaderspywarestealertrojanvmprotect

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops Chrome extension

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2