Extracted

Extracted

Extracted

• • Target

    c606d1a98096c134a3740cb2e951990e_JaffaCakes118

  • Size

    4.2MB

  • MD5

    c606d1a98096c134a3740cb2e951990e

  • SHA1

    c6f23667b250fa98ae0f10503668e1d41d4996ac

  • SHA256

    96cfb6ff0bed243356b569d5bb44911f8214c9a63f577621b8ed4de8762576df

  • SHA512

    883715096e9c62dc7e4d5b9277de31536f0f4ac7203b2def65d2e9773de7d3b5110b2c5484a917c8bce70e3f1cbf9838ae3d09f81de2d7db2a8bfe92af95c99c

  • SSDEEP

    98304:Ibhu1zNQzrgiH7hdjJXR85svk3upL/qkyZ9RVlWtH:IluzYF7hdjJXR85svkuLyjRVlS

  Score

  10^/10

  fabookieffdroidergcleaneronlyloggerprivateloadersocelarsdiscoveryevasionloaderpersistencespywarestealertrojanupxvmprotect

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Ffdroider family

    ffdroider

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Privateloader family

    privateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars family

    socelars

  • Socelars payload

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops Chrome extension

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2