General
-
Target
98d129283fccf504adb59f2ff02bdf76_JaffaCakes118
-
Size
3.3MB
-
Sample
241125-djlw8a1ken
-
MD5
98d129283fccf504adb59f2ff02bdf76
-
SHA1
8113b09b48cda4b933b7621915ede9ec80b4438b
-
SHA256
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
-
SHA512
d973ae7652aaaad55f7eadca5a640047aeeb9761995f4096e6fa7d92dc09899f9ce8e593d540b83b6471a69f015d1d81eafa94a8e8edf2b5be5bccba1c31d9d2
-
SSDEEP
98304:yfIUwCB+IqvVH1/KhodEgl5fLkA0HhkL/DR/JEL:yfIbC4Iqv1xKhGEwTkDBs/tBe
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
ffdroider
http://186.2.171.3
Targets
-
-
Target
98d129283fccf504adb59f2ff02bdf76_JaffaCakes118
-
Size
3.3MB
-
MD5
98d129283fccf504adb59f2ff02bdf76
-
SHA1
8113b09b48cda4b933b7621915ede9ec80b4438b
-
SHA256
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
-
SHA512
d973ae7652aaaad55f7eadca5a640047aeeb9761995f4096e6fa7d92dc09899f9ce8e593d540b83b6471a69f015d1d81eafa94a8e8edf2b5be5bccba1c31d9d2
-
SSDEEP
98304:yfIUwCB+IqvVH1/KhodEgl5fLkA0HhkL/DR/JEL:yfIbC4Iqv1xKhGEwTkDBs/tBe
Score10/10-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload
-
Ffdroider family
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
setup_installer.exe
-
Size
3.3MB
-
MD5
89086cb8af781cacdb7f54885b9f3c93
-
SHA1
90dd7b1f35b151efa68e691212a9fdd72188faef
-
SHA256
1c8fd4b23994f2dbffb0f51debe3551b796ab2bc280242c325de14d650ecb227
-
SHA512
d7b2d92536a6bfabc80f3b12284df5969e3b4f3d47c6c44e0b7702a043915e31914161be9b76f2d9db88ca47788eaa6522f6d1475b4b15a9d7c68379b041037f
-
SSDEEP
98304:xcCvLUBsg15yFwpAsltDqdgI/N3hTDoZMur:xBLUCgeMr2d/F39oX
Score10/10-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload
-
Ffdroider family
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1