Overview
overview
10Static
static
70hS8ndFapM...Jf.exe
windows7-x64
100hS8ndFapM...Jf.exe
windows10-2004-x64
100rr48RlGuy...xg.exe
windows7-x64
80rr48RlGuy...xg.exe
windows10-2004-x64
821oenuW1qn...e5.exe
windows7-x64
1021oenuW1qn...e5.exe
windows10-2004-x64
1025jZMPTiQq...9r.exe
windows7-x64
1025jZMPTiQq...9r.exe
windows10-2004-x64
1028NEs4WOAb...Dx.exe
windows7-x64
928NEs4WOAb...Dx.exe
windows10-2004-x64
92DWwzYoIDs...wH.exe
windows7-x64
102DWwzYoIDs...wH.exe
windows10-2004-x64
104sqg3EO3n4...E3.exe
windows7-x64
104sqg3EO3n4...E3.exe
windows10-2004-x64
106IvhC9RrHt...Qm.exe
windows7-x64
106IvhC9RrHt...Qm.exe
windows10-2004-x64
106K69WRpYoP...wA.exe
windows7-x64
36K69WRpYoP...wA.exe
windows10-2004-x64
76RVcR1WSzn...fp.exe
windows7-x64
36RVcR1WSzn...fp.exe
windows10-2004-x64
77UwyHmKx00...KA.exe
windows7-x64
97UwyHmKx00...KA.exe
windows10-2004-x64
988wncypnTK...tt.exe
windows7-x64
88wncypnTK...tt.exe
windows10-2004-x64
18Jw_RggGj5...71.exe
windows7-x64
78Jw_RggGj5...71.exe
windows10-2004-x64
7A04WVFPeCH...H9.exe
windows7-x64
10A04WVFPeCH...H9.exe
windows10-2004-x64
10A5ulgq_bFX...0Z.exe
windows7-x64
10A5ulgq_bFX...0Z.exe
windows10-2004-x64
10AU3ie6Mv1v...zZ.exe
windows7-x64
10AU3ie6Mv1v...zZ.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 12:00
Behavioral task
behavioral1
Sample
0hS8ndFapMyi9bpBTCoeqfJf.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0hS8ndFapMyi9bpBTCoeqfJf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
0rr48RlGuyf8MbsABD4Fd5xg.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
0rr48RlGuyf8MbsABD4Fd5xg.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
21oenuW1qnqk7qUsHH7Z2We5.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
21oenuW1qnqk7qUsHH7Z2We5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
25jZMPTiQqNIVH0Cs2hi6z9r.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
25jZMPTiQqNIVH0Cs2hi6z9r.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
28NEs4WOAbFCrw46bjrvW6Dx.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
28NEs4WOAbFCrw46bjrvW6Dx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
2DWwzYoIDsZeXAHrWMUgq7wH.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
2DWwzYoIDsZeXAHrWMUgq7wH.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
4sqg3EO3n4bilXTOwELzdyE3.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
4sqg3EO3n4bilXTOwELzdyE3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
6IvhC9RrHtvRf0BCVttVUFQm.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
6IvhC9RrHtvRf0BCVttVUFQm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
6K69WRpYoPgt3vIoWRXmpAwA.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
6K69WRpYoPgt3vIoWRXmpAwA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
6RVcR1WSznUXUS8RtLypZMfp.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
6RVcR1WSznUXUS8RtLypZMfp.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
7UwyHmKx00aB7vI0W6MvnkKA.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
7UwyHmKx00aB7vI0W6MvnkKA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
88wncypnTKvKj7Uwab0iiutt.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
88wncypnTKvKj7Uwab0iiutt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
8Jw_RggGj5lBX2auQAnIQe71.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
8Jw_RggGj5lBX2auQAnIQe71.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
A04WVFPeCHaejSnQmBHCogH9.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
A04WVFPeCHaejSnQmBHCogH9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
A5ulgq_bFXMyWAYNZZbTBZ0Z.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
A5ulgq_bFXMyWAYNZZbTBZ0Z.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
AU3ie6Mv1vmus72LuhNF2jzZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
AU3ie6Mv1vmus72LuhNF2jzZ.exe
Resource
win10v2004-20241007-en
General
-
Target
25jZMPTiQqNIVH0Cs2hi6z9r.exe
-
Size
1.7MB
-
MD5
6753c0fadc839415e31b170b5df98fc7
-
SHA1
7adbd92546bc0516013c0f6832ea272cf0606c60
-
SHA256
01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569
-
SHA512
92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab
-
SSDEEP
49152:pAI+r+g7ELp4UtaupKvwS9IBfgUtckcL1YsNP:pAI+CvK88wScgUAL1Ys5
Malware Config
Extracted
ffdroider
http://152.32.151.93
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral7/files/0x00050000000194c3-42.dat family_fabookie -
FFDroider payload 1 IoCs
resource yara_rule behavioral7/memory/2716-49-0x0000000000400000-0x0000000000644000-memory.dmp family_ffdroider -
Fabookie family
-
Ffdroider family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral7/memory/1824-62-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral7/memory/1852-114-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 2688 customer3.exe 2716 md8_8eus.exe 2548 jooyu.exe 1824 jfiag3g_gg.exe 1852 jfiag3g_gg.exe -
Loads dropped DLL 9 IoCs
pid Process 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 2548 jooyu.exe 2548 jooyu.exe 2548 jooyu.exe 2548 jooyu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
resource yara_rule behavioral7/files/0x00340000000162e4-51.dat upx behavioral7/memory/1824-59-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral7/memory/1824-62-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral7/files/0x00390000000162e4-100.dat upx behavioral7/memory/2548-101-0x0000000000210000-0x0000000000232000-memory.dmp upx behavioral7/memory/1852-114-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe 25jZMPTiQqNIVH0Cs2hi6z9r.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 25jZMPTiQqNIVH0Cs2hi6z9r.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe 25jZMPTiQqNIVH0Cs2hi6z9r.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe 25jZMPTiQqNIVH0Cs2hi6z9r.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini 25jZMPTiQqNIVH0Cs2hi6z9r.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfiag3g_gg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25jZMPTiQqNIVH0Cs2hi6z9r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jooyu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language md8_8eus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfiag3g_gg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1852 jfiag3g_gg.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2688 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 30 PID 1448 wrote to memory of 2688 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 30 PID 1448 wrote to memory of 2688 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 30 PID 1448 wrote to memory of 2688 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 30 PID 1448 wrote to memory of 2716 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 31 PID 1448 wrote to memory of 2716 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 31 PID 1448 wrote to memory of 2716 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 31 PID 1448 wrote to memory of 2716 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 31 PID 1448 wrote to memory of 2548 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 32 PID 1448 wrote to memory of 2548 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 32 PID 1448 wrote to memory of 2548 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 32 PID 1448 wrote to memory of 2548 1448 25jZMPTiQqNIVH0Cs2hi6z9r.exe 32 PID 2548 wrote to memory of 1824 2548 jooyu.exe 35 PID 2548 wrote to memory of 1824 2548 jooyu.exe 35 PID 2548 wrote to memory of 1824 2548 jooyu.exe 35 PID 2548 wrote to memory of 1824 2548 jooyu.exe 35 PID 2548 wrote to memory of 1852 2548 jooyu.exe 36 PID 2548 wrote to memory of 1852 2548 jooyu.exe 36 PID 2548 wrote to memory of 1852 2548 jooyu.exe 36 PID 2548 wrote to memory of 1852 2548 jooyu.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD51daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
Filesize
971KB
MD5aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
Filesize
829KB
MD5ce11de1000560d312bf6ab0b5327e87b
SHA1557f3f780cb0f694887ada330a87ba976cdb168f
SHA256126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a
SHA512655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
Filesize
184KB
MD57fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
Filesize
61KB
MD5a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c