General
-
Target
ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118
-
Size
3.3MB
-
Sample
241128-hvaqjswjcj
-
MD5
ab6a2896f6b05c4acb603916a2fd88ab
-
SHA1
956383c9f678c5d8a68bc52145f663cd7553cdcc
-
SHA256
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
-
SHA512
9d167ce51fadcd076ba7371e723555b2ff63932014b82671f5bf354fd6b58ee2fd3b9af0d6717b81bfe16a79c137e9a3170314fc48778b5d04c1ce8eec36b66d
-
SSDEEP
49152:EgcAx7veS1WN/Xt5E58xtDnX3r6g1YlRl0d8MajBdF9QsCt3e5F+IUgjOmWRrKI+:JF2S1WLeqpy/y8MuLON4j4KIVeB4Ybxz
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Targets
-
-
Target
ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118
-
Size
3.3MB
-
MD5
ab6a2896f6b05c4acb603916a2fd88ab
-
SHA1
956383c9f678c5d8a68bc52145f663cd7553cdcc
-
SHA256
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
-
SHA512
9d167ce51fadcd076ba7371e723555b2ff63932014b82671f5bf354fd6b58ee2fd3b9af0d6717b81bfe16a79c137e9a3170314fc48778b5d04c1ce8eec36b66d
-
SSDEEP
49152:EgcAx7veS1WN/Xt5E58xtDnX3r6g1YlRl0d8MajBdF9QsCt3e5F+IUgjOmWRrKI+:JF2S1WLeqpy/y8MuLON4j4KIVeB4Ybxz
Score10/10-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Vidar Stealer
-
XMRig Miner payload
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
3.3MB
-
MD5
71f8873392df70981a5e02f4d33930dd
-
SHA1
66cacadd474eded6b3582389c96866d0dee8ff4b
-
SHA256
e17ed5dd93ee4943d5b6776705d3b149f8e426d0c1d44a57f467d31e55f47892
-
SHA512
e55eeedc6c114c85cb0ee13d8f11907504deeae731bcf6c4a204b394ba3e21c4a2c8ff47adb28eea979ee179050e4225f8ba57abbb2d2c361c561b89a6ca2db8
-
SSDEEP
98304:x6eKfE9KlGB9z8qTsF5iOew3qrCvLUBsK5L3ECz:xT/9HHoGDQLUCK5T
Score10/10-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2