nullmixer | cd0e83d7ecf53143afa640ee49905b8292169fa7e5eafad521718a303e302322

Analysis

max time kernel
131s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe
Size

1.5MB
MD5

15ff88418d079a260219d1bc7f8c528a
SHA1

d26fe29f0ed3c4528e1ab6fa48fae7946f7d6250
SHA256

cd0e83d7ecf53143afa640ee49905b8292169fa7e5eafad521718a303e302322
SHA512

d4e1a94e0a30c7f38ca23ae264be276b9d5ae71d67c1164159ce7af2ddef352ad6a4c04935a711f7c472f1ac2830d4c1df5eed30062c52de067b27ca6e35184c
SSDEEP

49152:xcB6CpZgu29XTEwJ84vLRaBtIl9mTfPVHwCN/Z:xQZ29YCvLUBsK3yCRZ

Score

10^/10

nullmixer aspackv2 discovery dropper evasion trojan

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

karotima_1.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	karotima_1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	karotima_1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	karotima_1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	karotima_1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	karotima_1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	karotima_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	karotima_1.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016d36-28.dat	aspack_v212_v242
behavioral1/files/0x0008000000016cfe-34.dat	aspack_v212_v242
behavioral1/files/0x0007000000016d1b-40.dat	aspack_v212_v242
behavioral1/files/0x0007000000016d0b-33.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

setup_install.exekarotima_1.exekarotima_2.exe

pid	Process
2668	setup_install.exe
2028	karotima_1.exe
920	karotima_2.exe

Loads dropped DLL 26 IoCs

Processes:

15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exesetup_install.execmd.exekarotima_1.execmd.exekarotima_2.exeWerFault.exeWerFault.exe

pid	Process
2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe
2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe
2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe
2668	setup_install.exe
2668	setup_install.exe
2668	setup_install.exe
2668	setup_install.exe
2668	setup_install.exe
2668	setup_install.exe
2668	setup_install.exe
2668	setup_install.exe
2396	cmd.exe
2028	karotima_1.exe
2028	karotima_1.exe
3052	cmd.exe
3052	cmd.exe
920	karotima_2.exe
920	karotima_2.exe
920	karotima_2.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ipinfo.io
3	ipinfo.io
9	api.db-ip.com
10	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2128	920	WerFault.exe	35
2016	2668	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

karotima_2.exe15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exesetup_install.execmd.exekarotima_1.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	karotima_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	karotima_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exesetup_install.execmd.execmd.exekarotima_2.exe

description	pid	Process	procid_target
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2668	2440	15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2668 wrote to memory of 2396	2668	setup_install.exe	32
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	cmd.exe	34
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 2668 wrote to memory of 3052	2668	setup_install.exe	33
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 3052 wrote to memory of 920	3052	cmd.exe	35
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 920 wrote to memory of 2128	920	karotima_2.exe	36
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37
PID 2668 wrote to memory of 2016	2668	setup_install.exe	37

C:\Users\Admin\AppData\Local\Temp\15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15ff88418d079a260219d1bc7f8c528a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\7zS88964D76\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS88964D76\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c karotima_1.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\7zS88964D76\karotima_1.exe
      karotima_1.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c karotima_2.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\7zS88964D76\karotima_2.exe
      karotima_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 264
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS88964D76\karotima_1.txt

Filesize
1.0MB

MD5
9108ad5775c76cccbb4eadf02de24f5d

SHA1
82996bc4f72b3234536d0b58630d5d26bcf904b0

SHA256
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e

SHA512
19021a28555bba1fe1bdcdc8845f1bcadebd256c7db02b9329d6b44ae01a123a00e162cc34a97ba51f088cafa6f54ab1de8f82f771ac54b94a3a796f84f73362

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88964D76\karotima_2.txt

Filesize
329KB

MD5
6a67f50ea0a6144b4b8fcb9eae55a9b5

SHA1
599af5e17ed6661da5cc3aac09a6a0d59d778db9

SHA256
f6bedb7a14c1903d5700977ebe016a08686fda28e9ca87ac9b02c3b8a0441514

SHA512
00ba0c6faa83d2ec21cfcd09f329a7c0552017a162131dd22f71483bc4feb03219654132c8e1fce9eec0fe9f7eeaf9b0aa99c4e11bd2ae2b8d298f69836a57ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88964D76\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88964D76\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS88964D76\setup_install.exe

Filesize
287KB

MD5
89a2b4f76b49d86cae4e45db4acb1fa7

SHA1
b052cd7a070cb3330536957ca602241d6c5d60ad

SHA256
1aed64d0ce5510fe76ebff2322915303dd46f1129b83a9a89ec1e6ec0d31dba6

SHA512
894a1eaefcbce2dc5f422b0f1628cc6b02b51c2a5718605ff13a0a613c12feb144736939fe353d9a21c3b979bc81fe44c11c9e7076500ee2568a85a264135a54

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88964D76\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88964D76\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS88964D76\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/920-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-26-0x0000000002850000-0x000000000296E000-memory.dmp

Filesize
1.1MB

Download
memory/2440-27-0x0000000002850000-0x000000000296E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-59-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-52-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2668-63-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2668-61-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-60-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2668-58-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2668-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2668-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2668-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2668-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2668-62-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-51-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2668-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2668-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2668-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2668-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2668-35-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2668-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2668-90-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2668-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2668-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2668-87-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2668-86-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-29-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download