fabookie

General

Target

JaffaCakes118_49ad58b15a86127a570834164851a3df1132e2ec578b2f6bc1c5185aab7ca7a7
Size

8.0MB
Sample

241221-x9zesaxmh1
MD5

c94a01b4621d2b7b6517525fe8a4f24e
SHA1

b3ff6d2ab6a28ec65f366d3cf468190fa34f5aa5
SHA256

49ad58b15a86127a570834164851a3df1132e2ec578b2f6bc1c5185aab7ca7a7
SHA512

c4767aa2d89831d6cd1e51e2b1e60d056e3f4382632bdfeb0dea82b12a76a40110060f4a2b406bf4c49160fbcc85048ef53b206cbe4118f169b2a65d9ae31447
SSDEEP

196608:Jo0aRRNWLwEUZRD63BgMPLGTeLasSz3UIl5HsRTQe9ytdA:Jf7LPKRGBlaqu32ke9yti

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://624e4f01d3a8d.com/

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/vsdh41/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

31.210.20.149

212.192.241.16

212.192.246.217

203.159.80.49

Attributes

url_path
/software.php

/software.php

Targets

- Target
  
  JaffaCakes118_49ad58b15a86127a570834164851a3df1132e2ec578b2f6bc1c5185aab7ca7a7
- Size
  
  8.0MB
- MD5
  
  c94a01b4621d2b7b6517525fe8a4f24e
- SHA1
  
  b3ff6d2ab6a28ec65f366d3cf468190fa34f5aa5
- SHA256
  
  49ad58b15a86127a570834164851a3df1132e2ec578b2f6bc1c5185aab7ca7a7
- SHA512
  
  c4767aa2d89831d6cd1e51e2b1e60d056e3f4382632bdfeb0dea82b12a76a40110060f4a2b406bf4c49160fbcc85048ef53b206cbe4118f169b2a65d9ae31447
- SSDEEP
  
  196608:Jo0aRRNWLwEUZRD63BgMPLGTeLasSz3UIl5HsRTQe9ytdA:Jf7LPKRGBlaqu32ke9yti
Score

10^/10

nullmixer socelars aspackv2 discovery dropper execution stealer vmprotect fabookie gcleaner smokeloader pub3 backdoor loader spyware trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  8.0MB
- MD5
  
  d79f4e5eceee0a9b3645514cc509098b
- SHA1
  
  474424ce06fbfc3c5fdcb875aecf81914e2916b6
- SHA256
  
  f5edf6fa082dbb5d2c78faf436fbc3d44df12e7edf3a7d9c4f144f400be89ebb
- SHA512
  
  37db11efa0662221014f228d71fd9f226bae68522a8525e0d05fcd4cc5ffa75cac491e72853020ea4e83077dc5a3169c29b60b73633e11fb1da5657be5142acc
- SSDEEP
  
  196608:x9fjrq8ySlNVV/fQocAKLBuqI/O/d9iBANQOnLuO3vXhBijG:xhjrq3SlzFfPcAWBHTiMQ/+PDiq
Score

10^/10

fabookie gcleaner nullmixer smokeloader socelars pub3 aspackv2 backdoor discovery dropper execution loader spyware stealer trojan vmprotect
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4