Extracted

Extracted

• • Target

    53186ce79e6468105c773438acbe87f1_JaffaCakes118

  • Size

    2.6MB

  • MD5

    53186ce79e6468105c773438acbe87f1

  • SHA1

    de01fcb76fbabf23a120cee47467b0256704e37a

  • SHA256

    9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e

  • SHA512

    b711bb7536ed70391db73ccf54ea5f0bb841aa9f0e2c5e97a693cbf3a68caac9511260d4f8acfbb6a86cdae89b4e958cb465c4b440bb62df30cb67806357e7a6

  • SSDEEP

    49152:SunqyEbov0BhJ/0xMW5InyH/tp/pmBCXjn98XEEibJcXDNX:SKqycMnpfzh/n9IiA

  Score

  10^/10

  ffdroiderredlinesectopratbuild1discoveryexecutioninfostealerpersistenceratstealertrojanvmprotectevasionspyware

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • FFDroider payload

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2