a310logger | fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5

General

Target

b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe
Size

1.0MB
MD5

b44f95c332073b28fe95157f470f8f2a
SHA1

ab9265412559d4992d540aa11f05d73e4f544374
SHA256

fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5
SHA512

25bd35d5bd9d233d9f0bc21afa1af51c2326a252d3afe16f65a22f17ec85bd7a73529b24f4408d20aa0aec84dc79339574f4e57f1876f480bbb6b23cc5aa8f4d
SSDEEP

24576:TqLcMNjfhbU37ea2y1c+ExsjMW/GpsPzKnWjT9:QFhfhYa1yes4vqmnWv

Score

10^/10

a310logger blustealer collection discovery spyware stealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot1945669405:AAEo5Zfx9GfeIsr07vB55CuJD00-glDv8-w/sendMessage?chat_id=1890833638

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
A310logger family
a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Blustealer family
blustealer

A310logger Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001939c-46.dat	a310logger
behavioral1/memory/2684-50-0x00000000009B0000-0x0000000000A62000-memory.dmp	a310logger

Executes dropped EXE 1 IoCs

pid	Process
2684	Fox.exe

Loads dropped DLL 1 IoCs

pid	Process
3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 3008	2568	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	31
PID 3008 wrote to memory of 2684	3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2684	3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2684	3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2684	3008	b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b44f95c332073b28fe95157f470f8f2a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\PKRF87~1.ZIP

Filesize
285KB

MD5
40a9752d59f2883e40d928f85a749008

SHA1
c60fb58eff64a7969b46f3934766f991352eeb47

SHA256
ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820

SHA512
ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
689KB

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
memory/2568-19-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-1-0x0000000000FC0000-0x00000000010C8000-memory.dmp

Filesize
1.0MB

Download
memory/2568-2-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-3-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2568-4-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2568-5-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-6-0x0000000005260000-0x0000000005330000-memory.dmp

Filesize
832KB

Download
memory/2568-7-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2568-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2684-50-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/3008-9-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3008-16-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3008-8-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3008-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3008-10-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3008-52-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing