General

  • Target

    Updatev4.zip

  • Size

    115.4MB

  • Sample

    241209-jhm1sawkan

  • MD5

    041634ab39ce439e46e513399ba835ec

  • SHA1

    68e3faac51bea86ff06a891553ad31cad3ef3e87

  • SHA256

    23c507d3eb066415ccf2c22491fd949d1b3aba3155648e5c3a53bcbb04444c42

  • SHA512

    8f4f83400a4e72f020ae2336144a1acf67466d17c2bd25fe08edeafe1b7a32c4713a8cc7b95f3fdd49899b151cee49eecbd700a77b270a6ca675b2ce6588cf39

  • SSDEEP

    3145728:QEZRDJf7jLrjWKrpbT9XmdBCohjY/J2JCiC2ZKbKIsFfsfgSwD:QEZRhWKrZx+hjSJF2s25NsISC

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Oxoxox

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    3.145728e+06

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      Xeno.exe

    • Size

      649.1MB

    • MD5

      3b9c084d35bedcfe4cf7b306ecbf78ac

    • SHA1

      24ae90b623cddc6666d8fca32d279f75a8c293e3

    • SHA256

      d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b

    • SHA512

      18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6

    • SSDEEP

      49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks