General

  • Target

    7d7f808e68925f4f2fa92c973fd66c85_JaffaCakes118

  • Size

    5.7MB

  • Sample

    241030-b8l76stgjg

  • MD5

    7d7f808e68925f4f2fa92c973fd66c85

  • SHA1

    404499bcaae18710e165e43ddf25260502b2c014

  • SHA256

    205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6

  • SHA512

    705e0e3fee137f977ea727c481f733b17ea1bcce7cc4587f4a2954e1ed7f7137d48f30f2d35aff52a213aa571dd679f729325fd0f38e5e733eca22297f3f0ae0

  • SSDEEP

    98304:yI9DF+Y8t0zwh1Ri6dF7SU7m11oJSgu1B7XrMMJ0KG8LvSo2zYsBMbU2A++YY9fD:yyFU0zwf06TSG21Y3gZbMc0KG8b92zdh

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Targets

    • Target

      7d7f808e68925f4f2fa92c973fd66c85_JaffaCakes118

    • Size

      5.7MB

    • MD5

      7d7f808e68925f4f2fa92c973fd66c85

    • SHA1

      404499bcaae18710e165e43ddf25260502b2c014

    • SHA256

      205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6

    • SHA512

      705e0e3fee137f977ea727c481f733b17ea1bcce7cc4587f4a2954e1ed7f7137d48f30f2d35aff52a213aa571dd679f729325fd0f38e5e733eca22297f3f0ae0

    • SSDEEP

      98304:yI9DF+Y8t0zwh1Ri6dF7SU7m11oJSgu1B7XrMMJ0KG8LvSo2zYsBMbU2A++YY9fD:yyFU0zwf06TSG21Y3gZbMc0KG8b92zdh

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      setup_installer.exe

    • Size

      5.7MB

    • MD5

      5d15d2119fc180ca529dc71803b5022e

    • SHA1

      7baebeba43ee7387969e715ad41d2523fa0943de

    • SHA256

      75f6455387008a86d306dffcabd6bdd534e5c265829c02dd3b26f2ec03190abf

    • SHA512

      cbae444a2e235c8bf14226afe8f2b044cd98309b09cc9708b4347e7b77b464f5ec417918f57225878fd41357df45d04bb8a98b14e23c00eb245a6717abcde2c6

    • SSDEEP

      98304:xZCvLUBsgZ7yEcW+4YqMPpf8UEBUxPtT1tDvC+K6UvNgOIgdgg/InSlWiVSf:xSLUCgNRfOTB51tlrBFgdgUOwJVE

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks