Overview

overview

10

Static

static

3

a128c5bc06...18.exe

windows7-x64

10

a128c5bc06...18.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a128c5bc0609f0871555f4e66bb19717_JaffaCakes118

  • Size

    3.3MB

  • Sample

    241126-lht57s1rfp

  • MD5

    a128c5bc0609f0871555f4e66bb19717

  • SHA1

    3b7c2d36a7bd94d6d57c73a1dbfd783948422979

  • SHA256

    a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001

  • SHA512

    328faa0446b56613df66824e4e43a6f6e7e9d093d088433d84f9bf993610c3d40962d5c57cdeec79beda32971c0ff3274d61dba1fcbb424b813edc43e327d031

  • SSDEEP

    49152:9gRiwI8xQ4T7zXz6mEDmxu9/d9EvK7NIPIc1vhnkau3hSbx/krAP7Kp32aAgAA5a:y0g7RWYu9/Evxl1uphUxgymGaAxAt9bE

Score
10/10
ffdroidernullmixerprivateloadervidar706aspackv2discoverydropperevasionloaderspywarestealertrojanvmprotect

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Targets

    • Target

      a128c5bc0609f0871555f4e66bb19717_JaffaCakes118

    • Size

      3.3MB

    • MD5

      a128c5bc0609f0871555f4e66bb19717

    • SHA1

      3b7c2d36a7bd94d6d57c73a1dbfd783948422979

    • SHA256

      a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001

    • SHA512

      328faa0446b56613df66824e4e43a6f6e7e9d093d088433d84f9bf993610c3d40962d5c57cdeec79beda32971c0ff3274d61dba1fcbb424b813edc43e327d031

    • SSDEEP

      49152:9gRiwI8xQ4T7zXz6mEDmxu9/d9EvK7NIPIc1vhnkau3hSbx/krAP7Kp32aAgAA5a:y0g7RWYu9/Evxl1uphUxgymGaAxAt9bE

    Score
    10/10
    ffdroidernullmixerprivateloadervidar706aspackv2discoverydropperloaderspywarestealervmprotectevasiontrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Ffdroider family

      ffdroider

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.3MB

    • MD5

      bc3529a39749e698e030aaed73343ac7

    • SHA1

      4420f1445bf7dd0ccb3e795ab77a1ce3e6f2501d

    • SHA256

      82445c54c2679f15b883f34a95ccdfec4828ad72dc5e609c9281c522561cb74b

    • SHA512

      12fe58c706cfe6590af9c36a0ae99ff33def04196c0cc5bea6684ea585c61186f98fd72e23be02535985460f56b122692378a90b03af98805096d4fddfd4e2be

    • SSDEEP

      98304:x3CvLUBsgd6KWbrA/pYp6pU2RmxRNpzV55zr6DJz:x0LUCg8bsRYoUygzVL45

    Score
    10/10
    ffdroidernullmixerprivateloadervidar706aspackv2discoverydropperloaderspywarestealervmprotectevasiontrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Ffdroider family

      ffdroider

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks