fabookie | JaffaCakes118_820eae6104c5aa7150917a53e25fd0be9633bcbb7120ea680967a52467e41249

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_820eae6104c5aa7150917a53e25fd0be9633bcbb7120ea680967a52467e41249
Size

1.7MB
MD5

6e4586a5064bd13fd5058b93dbca52aa
SHA1

e04e3a81881e36ebe09f27ff1c07a739fc69f278
SHA256

820eae6104c5aa7150917a53e25fd0be9633bcbb7120ea680967a52467e41249
SHA512

2d217a38cbab6df137751a8823edd60687b8ffc3d84a0f3c13a027bd6739b52de2ac23c2f73e4a1481c26a71b085b1c01a70fd14fa45e7ab7893822af0318ece
SSDEEP

49152:X2UGSowazjQaQGmjESgsdkBHr1mUrVZDL:X2UGxwazNdmQFBrrZX

Score

10^/10

fabookie

Malware Config

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
static1/unpack001/0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8	family_fabookie

Fabookie family
fabookie

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
static1/unpack001/0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
static1/unpack001/0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8	WebBrowserPassView

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8

Files

JaffaCakes118_820eae6104c5aa7150917a53e25fd0be9633bcbb7120ea680967a52467e41249
.zip

Password: infected
0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8
.exe windows:6 windows x64 arch:x64

23e911f9a82ac0d345fa6cc9104b6bf4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\workspace\workspace_c\shellcode_ms\ResourceVerCur\x64\Release\ResourceVerCur.pdb

Imports

kernel32

GetTempPathA
GetLastError
WinExec
lstrlenW
FormatMessageW
LocalFree
AreFileApisANSI
ReadFile
TryEnterCriticalSection
HeapCreate
HeapFree
EnterCriticalSection
GetFullPathNameW
WriteFile
GetDiskFreeSpaceW
LockFile
LeaveCriticalSection
InitializeCriticalSection
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
GetTempPathW
CreateMutexW
WaitForSingleObject
CreateFileW
GetCurrentThreadId
UnmapViewOfFile
HeapValidate
HeapSize
MultiByteToWideChar
GetDiskFreeSpaceA
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
CloseHandle
GetSystemInfo
LoadLibraryW
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
GetProcAddress
CreateFileMappingA
LockFileEx
GetFileSize
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
GetFileAttributesW
FindResourceW
LoadResource
LockResource
FreeResource
Sleep
GetStringTypeW
EncodePointer
DecodePointer
GetCPInfo
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
CompareStringW
LCMapStringW
GetLocaleInfoW
InitializeSListHead
SetEvent
ResetEvent
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceFrequency
GetCurrentThread
GetThreadTimes
RtlUnwindEx
InterlockedPushEntrySList
RtlPcToFileHeader
RaiseException
LoadLibraryExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
ExitProcess
GetModuleFileNameW
GetStdHandle
GetFileSizeEx
SetFilePointerEx
GetFileType
GetConsoleOutputCP
GetConsoleMode
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
ReadConsoleW
GetTimeZoneInformation
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
WriteConsoleW
OutputDebugStringA
SizeofResource
RtlUnwind

advapi32

RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegCreateKeyW

shell32

SHGetFolderPathW

winhttp

WinHttpQueryHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpSetOption
WinHttpCloseHandle
WinHttpAddRequestHeaders
WinHttpQueryAuthSchemes
WinHttpGetProxyForUrl
WinHttpSendRequest
WinHttpSetCredentials
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpOpen
WinHttpGetIEProxyConfigForCurrentUser

Sections

.text
Size: 955KB - Virtual size: 955KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 215KB - Virtual size: 214KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 851KB - Virtual size: 850KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 576KB - Virtual size: 580KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

23e911f9a82ac0d345fa6cc9104b6bf4

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

shell32

winhttp

Sections

.text Size: 955KB - Virtual size: 955KB

.rdata Size: 215KB - Virtual size: 214KB

.data Size: 23KB - Virtual size: 36KB

.pdata Size: 34KB - Virtual size: 33KB

_RDATA Size: 512B - Virtual size: 148B

.rsrc Size: 851KB - Virtual size: 850KB

.reloc Size: 576KB - Virtual size: 580KB

.text
Size: 955KB - Virtual size: 955KB

.rdata
Size: 215KB - Virtual size: 214KB

.data
Size: 23KB - Virtual size: 36KB

.pdata
Size: 34KB - Virtual size: 33KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 851KB - Virtual size: 850KB

.reloc
Size: 576KB - Virtual size: 580KB