Overview

overview

10

Static

static

7

FreeSpoofe...T].exe

windows7-x64

9

FreeSpoofe...T].exe

windows10-2004-x64

9

FreeSpoofe...er.exe

windows7-x64

10

FreeSpoofe...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FreeSpoofer.zip

  • Size

    25.2MB

  • Sample

    241121-yzspxswpgx

  • MD5

    395ecd48037ecc8ecc9fe07b591787a3

  • SHA1

    016e11a2dab3ed2d5b588d99d33ab9dfdb95d422

  • SHA256

    2e29359adc345fbef1d0a2f082d441d600d9c616586303938609d025e8ac98fb

  • SHA512

    91e7f21f78848f259d2f8e43593fbbf9333a6009690ef1574104e8b7e8e129c33be8f58b6fb9412aaa9fce3198e4ea710b91c196490e6ef1ff16185028da8f11

  • SSDEEP

    393216:CNyP7ixYoewSbBkqSZKxZUwZWupZNNQ6Hi14ODNNEPc9OcQbhatuz85iq/pn8cr:2yP7ZLBkNoWufA6C14EXEOVQbD8WY

Score
10/10
xmrigdiscoveryevasionexecutionminerpersistenceprivilege_escalationthemidatrojan

Malware Config

Targets

    • Target

      FreeSpoofer/AppleCleaner [I DO NOT OWN IT].exe

    • Size

      3.6MB

    • MD5

      f96eb2236970fb3ea97101b923af4228

    • SHA1

      e0eed80f1054acbf5389a7b8860a4503dd3e184a

    • SHA256

      46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

    • SHA512

      2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

    • SSDEEP

      98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

    Score
    9/10
    discoveryevasionthemidatrojanpersistenceprivilege_escalation

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      FreeSpoofer/Loader.exe

    • Size

      26.4MB

    • MD5

      aec49804a232eb45a7cf41e2dfef37fc

    • SHA1

      5cedbd522c3c40305f6d656f57edf9b6a89d7e21

    • SHA256

      deb7985a8f9a56f2dcbfdd4c5fa4732daad89ce82733818915f3a4e07c2d3b09

    • SHA512

      ad9cf94db9a109e0f3a191169025c4f5ec86aca68937c373380dcb84c728b5817bf5e7bee8eea47b7cb82f5415234ab08a53f26030a5573d574477571f3a3d3d

    • SSDEEP

      786432:pfjx8ZSLqcnnTNPefii+ydGI5mM3y9nEDQ:pfadJy9nQQ

    Score
    10/10
    xmrigdiscoveryevasionexecutionminerpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

3
T1497

Credential Access

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Peripheral Device Discovery

1
T1120

Query Registry

9
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

3
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks