General
-
Target
7d7f808e68925f4f2fa92c973fd66c85_JaffaCakes118
-
Size
5.7MB
-
Sample
241030-b8l76stgjg
-
MD5
7d7f808e68925f4f2fa92c973fd66c85
-
SHA1
404499bcaae18710e165e43ddf25260502b2c014
-
SHA256
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
-
SHA512
705e0e3fee137f977ea727c481f733b17ea1bcce7cc4587f4a2954e1ed7f7137d48f30f2d35aff52a213aa571dd679f729325fd0f38e5e733eca22297f3f0ae0
-
SSDEEP
98304:yI9DF+Y8t0zwh1Ri6dF7SU7m11oJSgu1B7XrMMJ0KG8LvSo2zYsBMbU2A++YY9fD:yyFU0zwf06TSG21Y3gZbMc0KG8b92zdh
Static task
static1
Behavioral task
behavioral1
Sample
7d7f808e68925f4f2fa92c973fd66c85_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d7f808e68925f4f2fa92c973fd66c85_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240903-en
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Targets
-
-
Target
7d7f808e68925f4f2fa92c973fd66c85_JaffaCakes118
-
Size
5.7MB
-
MD5
7d7f808e68925f4f2fa92c973fd66c85
-
SHA1
404499bcaae18710e165e43ddf25260502b2c014
-
SHA256
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
-
SHA512
705e0e3fee137f977ea727c481f733b17ea1bcce7cc4587f4a2954e1ed7f7137d48f30f2d35aff52a213aa571dd679f729325fd0f38e5e733eca22297f3f0ae0
-
SSDEEP
98304:yI9DF+Y8t0zwh1Ri6dF7SU7m11oJSgu1B7XrMMJ0KG8LvSo2zYsBMbU2A++YY9fD:yyFU0zwf06TSG21Y3gZbMc0KG8b92zdh
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
setup_installer.exe
-
Size
5.7MB
-
MD5
5d15d2119fc180ca529dc71803b5022e
-
SHA1
7baebeba43ee7387969e715ad41d2523fa0943de
-
SHA256
75f6455387008a86d306dffcabd6bdd534e5c265829c02dd3b26f2ec03190abf
-
SHA512
cbae444a2e235c8bf14226afe8f2b044cd98309b09cc9708b4347e7b77b464f5ec417918f57225878fd41357df45d04bb8a98b14e23c00eb245a6717abcde2c6
-
SSDEEP
98304:xZCvLUBsgZ7yEcW+4YqMPpf8UEBUxPtT1tDvC+K6UvNgOIgdgg/InSlWiVSf:xSLUCgNRfOTB51tlrBFgdgUOwJVE
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1