Overview

overview

10

Static

static

10

AntiPubs D...er.exe

windows7-x64

10

AntiPubs D...er.exe

windows10-2004-x64

10

AntiPubs D...er.exe

windows7-x64

3

AntiPubs D...er.exe

windows10-2004-x64

3

AntiPubs D...ol.dll

windows7-x64

1

AntiPubs D...ol.dll

windows10-2004-x64

1

AntiPubs D...er.dll

windows7-x64

1

AntiPubs D...er.dll

windows10-2004-x64

1

AntiPubs D...rk.dll

windows7-x64

1

AntiPubs D...rk.dll

windows10-2004-x64

1

AntiPubs D...ib.dll

windows7-x64

1

AntiPubs D...ib.dll

windows10-2004-x64

1

AntiPubs D...on.dll

windows7-x64

1

AntiPubs D...on.dll

windows10-2004-x64

1

AntiPubs D...er.exe

windows7-x64

10

AntiPubs D...er.exe

windows10-2004-x64

10

AntiPubs D...F6.dll

windows7-x64

1

AntiPubs D...F6.dll

windows10-2004-x64

1

AntiPubs D...nq.dll

windows7-x64

1

AntiPubs D...nq.dll

windows10-2004-x64

1

AntiPubs D...te.dll

windows7-x64

1

AntiPubs D...te.dll

windows10-2004-x64

1

AntiPubs D...te.exe

windows7-x64

10

AntiPubs D...te.exe

windows10-2004-x64

10

AntiPubs D...ar.dll

windows7-x64

1

AntiPubs D...ar.dll

windows10-2004-x64

1

AntiPubs D...er.exe

windows7-x64

3

AntiPubs D...er.exe

windows10-2004-x64

3

AntiPubs D...op.dll

windows7-x64

1

AntiPubs D...op.dll

windows10-2004-x64

1

AntiPubs D...op.dll

windows7-x64

3

AntiPubs D...op.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_51a6baae536bc1f992b146be605ddb3b3fc0dcd81432d8a483088835d76ac0d8

  • Size

    44.6MB

  • Sample

    241222-pkz11sykdr

  • MD5

    3ef4ba31d4c30415445685241e0f36c3

  • SHA1

    f34b0a9606538ad587b21da7c1b59a28ea525699

  • SHA256

    51a6baae536bc1f992b146be605ddb3b3fc0dcd81432d8a483088835d76ac0d8

  • SHA512

    0583e4ab70fd8c9dcdc1434361a09180ac4b1d4f00a00da2ea8ff30008f9328b2ffb11569941ec1b550a076e8443be347d49f0aef1c74247096d740252753da1

  • SSDEEP

    786432:B2aBzpFzzSq2rcz69WYXDzpFzzS+7FZSK72afAT3K5VKPI7:B2aBzixlsYXDziiFh72afAT65Vqg

Score
10/10
xredbackdoordiscoveryevasionlinkpdfpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      AntiPubs Dork Searcher EZ/._cache_Searcher.exe

    • Size

      7.0MB

    • MD5

      15eb4b61e2e64ac84925535dc5ffe8de

    • SHA1

      b95491efa58261ca585878238fa24d98fae41287

    • SHA256

      3b28aaf3dd8ea9623ab80e4f567e65b8bb5db686b129f27f6d9bc0907f2ed289

    • SHA512

      489751c78f8aded9a4b77eada0cccedab4d0faf50443607e17d81f65856ff77ad2842cb2ba5002e377c48fff441d86d38f74273367353fc2572a80ff980c14b5

    • SSDEEP

      98304:JyldpqU5s+h9oK4MtPSXDjLWdNo/v5LlCKly37gjA1tCJa8IRku6Fml2u:JyldD5smuMQDfUi/vXgIa8IRkZI2u

    Score
    10/10
    discoveryevasionpersistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      AntiPubs Dork Searcher EZ/._cache_searcher.exe 

    • Size

      6.8MB

    • MD5

      d4b43b2ce490d8786ccde6debcad2251

    • SHA1

      e88d0c6b5c336ee7c03e145532a6ce44db28af90

    • SHA256

      3aad4931bc76e1d654e5fe3fc6a1a10277b0d66190a8547782a3d7fa117ccc27

    • SHA512

      8bff940911e750f06c76c724b92de0753f4089d92f95e5d3d3659de3869a91908c6de25e480a0101d8149fcc881b71f585c39a2e9206393bb89f1f5e43bdda46

    • SSDEEP

      98304:pyldpqU5s+h9oK4MtPSXDjLWdNo/v5LlCKly37gjA1tCJa8IRku6Fml2:pyldD5smuMQDfUi/vXgIa8IRkZI2

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      AntiPubs Dork Searcher EZ/Control.dll

    • Size

      61KB

    • MD5

      ae6283e2cd932fb4a0d8fb62ba456c14

    • SHA1

      5604e99b3f7933d9a26f56b323d84266ba0b017f

    • SHA256

      627057d1d155445a96d54b88f6100627c18a621b18a4303f211739b464ba9cba

    • SHA512

      42c59f1ffb1b9ede6ef9ec2fbf6e2a31cd2586aafe829d9781dfac7539c540aa4ce02adf0c93ddfe3ed347669f5cd4f0d5606c818a1d37989c18f0ed721a3d9d

    • SSDEEP

      768:re0APk/2frWoJwChWlSdfrNV9MLfH/jxZf2PzziPaewogJo:60AM/WrWCXdpV9MLjLf2PqLxgm

    Score
    1/10
    behavioral5behavioral6

    • Target

      AntiPubs Dork Searcher EZ/EntityFramework.SqlServer.dll

    • Size

      568KB

    • MD5

      d9d5f50534e80494b41e00d1eebe8b23

    • SHA1

      8806ec4966fb1b0aea382fe7748f048a52c8102a

    • SHA256

      f221c96eb93282b94a70a4c67e2893e1cba4b5fd2b59fededeff94e36e10ef84

    • SHA512

      115b35846531f3bf45eaefb9faa13cf26562cc5cd559e2a9a87c63081d3fc850276b75d470d1a1c5fca4421a7662c252b9b5a94bdc70a77564e7b6f77e4445d8

    • SSDEEP

      6144:x5AGCOrKPQG2p+GeqNmjaVmnS4bKO6lfksS59iyhMP4BnsSIKsHC19FSl:x2Qr1O6tJS5XhNP8l

    Score
    1/10
    behavioral7behavioral8

    • Target

      AntiPubs Dork Searcher EZ/EntityFramework.dll

    • Size

      4.8MB

    • MD5

      470be89a6db2444175461b54ad00ec72

    • SHA1

      c769097a66ca0152f16fdf5dc1f87cb9aaa23ee6

    • SHA256

      a963696a7c3c3424a566644900fec5528d0cf1bd66033a0e2d36b6e4882a7d3a

    • SHA512

      a25b38db94b9744ae1707bb1b19eef058cea6d708acff526a8062a6b99da0f0bef8568206d601a566c00707babd3a2692cc327607344e26517250f5f1f285a57

    • SSDEEP

      49152:vjEAPlqtiGV9cMONr3SZPhGYQZglnQeboZfHRI3b732:rEAPOiBNGVhtQZxAb732

    Score
    1/10
    behavioral10behavioral9

    • Target

      AntiPubs Dork Searcher EZ/Interop.WMPLib.dll

    • Size

      48KB

    • MD5

      b9f1241e02b83a443bafccf4839e4724

    • SHA1

      867e055b4ab0746590152803db2e8deb05a32d3e

    • SHA256

      16c18a3e6a5f2dd5ea7431e103f3fa76467b2b66d8166abab28d567f08584254

    • SHA512

      05dda93f7946951a560f2e0f9a2e8c200f622b292bc3ebf56e6d107df4f93f68d712fc3e362223a7815d39926eebf6b422724b4aecf54fea65443238907cb70e

    • SSDEEP

      768:8IrsruezVcdzyR38uxbYnRNhW/JZjDXNWjfqR9WBSuelqo4aZYzfdHxIfdEK:8Cot65yR3mNOJZP0CCHrFLbIfdEK

    Score
    1/10
    behavioral11behavioral12

    • Target

      AntiPubs Dork Searcher EZ/Newtonsoft.Json.dll

    • Size

      514KB

    • MD5

      c53737821b861d454d5248034c3c097c

    • SHA1

      6b0da75617a2269493dc1a685d7a0b07f2e48c75

    • SHA256

      575e30f98e4ea42c9e516edc8bbb29ad8b50b173a3e6b36b5ba39e133cce9406

    • SHA512

      289543f5eea472e9027030e24011bea1e49e91059241fe6eb732e78f51822313e47d1e4769fa1c9c7d6139f6a97dcfef2946836b3383e8643988bf8908162fb9

    • SSDEEP

      6144:ZeC37wbJmJ5bd4m15M+S50cK7q2UGu7WEYEaWdDBLH5WHxJ16Wi/h4aBTBFFu4JD:p37Ogr2VAHx7JijBZdPfP

    Score
    1/10
    behavioral13behavioral14

    • Target

      AntiPubs Dork Searcher EZ/Searcher.exe

    • Size

      7.7MB

    • MD5

      89b8241a6504c5f75684558cf8262c92

    • SHA1

      f2572052d0905be7c6df457564f7815419f4a225

    • SHA256

      2d1ce8a3c009c75c31057b02b0fabe91e479ce28d42ac146301e7b7a5944c9de

    • SHA512

      5a05c1d3eb88279329c0a93bd5473732be9d48a0d96527be70d6df04b53d3b386a1282f427e2485d8e1ea34815f38f5e74801b4dcbf6eaaa21c6519a0cecc34b

    • SSDEEP

      98304:Tnsmtk2aDyldpqU5s+h9oK4MtPSXDjLWdNo/v5LlCKly37gjA1tCJa8IRku6FmlC:rLKyldD5smuMQDfUi/vXgIa8IRkZI2N

    Score
    10/10
    xredbackdoordiscoverypersistenceevasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      AntiPubs Dork Searcher EZ/System.Data.SQLite.EF6.dll

    • Size

      182KB

    • MD5

      b02b80d5f34a4f66b647643a89b29d01

    • SHA1

      b3187f70d19d9832f999d92e5aa7619cb6167b83

    • SHA256

      f5369ce6e06afdaaab36c38661fb63f844bcbdc6dc32379f05776b3f4b041b63

    • SHA512

      f292ffe3d1bca16bedc732d70f909233a49c0cd0f4f5e5ea1b2566337d95f6eef3bb0e19e03ea5a639f4cb286bd8ae6fc01793ff8df27e7479125b14dd42a801

    • SSDEEP

      1536:/EyUY5ArG1Cl6KP8c+GLE0vD0UZDZ+M8WmAaDO/zxOkFabge9lh0Ef:/Eq5AOy6KP8clLEkuOcO8MaZ9T3f

    Score
    1/10
    behavioral17behavioral18

    • Target

      AntiPubs Dork Searcher EZ/System.Data.SQLite.Linq.dll

    • Size

      182KB

    • MD5

      0fa3a80ce77a716af650173656e37404

    • SHA1

      3082ac94131c6e467fa89a032140c54b8aa8e879

    • SHA256

      2859ed64f5d0a430e726253b2f4258ad53b8ebd41a61ad0537104c5c86e3e7bb

    • SHA512

      2679f6a821a15ec3b2fc38b3d55a0639ac3e06286e2647766c2922d6975bda80fe4c29a8bae3d200f8d184bc95a75bdcc530a5831de5cd0ca151e29ee2171a8d

    • SSDEEP

      1536:jyUY5ArG1il3wtz6KP8cCwcINAaDOpzxOkWabge9lh0E3:jq5AOK06KP8cxfycOmLaZ9T33

    Score
    1/10
    behavioral19behavioral20

    • Target

      AntiPubs Dork Searcher EZ/System.Data.SQLite.dll

    • Size

      312KB

    • MD5

      7c680b024e667410c463ae38a92f8621

    • SHA1

      708ccdbb03c76d60bb696c7f60a3f17f4a1f2b6f

    • SHA256

      ed8a3599be994c4ba948932332610f59069996df47478b569790984871e0a4f5

    • SHA512

      bbee86d70cdfdbe24a04061cab352ee2131adbbafff6ea64c31e740016eeed1111a7549c25e2c2e1fed37382d6deb85e4af4050fcb55d462f282f47a909441f5

    • SSDEEP

      6144:YRrKwje8qXXIEmFNFaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cq:UrKwjTqXCFNFaFeFOFwcGF6cmFWc0FWN

    Score
    1/10
    behavioral21behavioral22

    • Target

      AntiPubs Dork Searcher EZ/Update.exe

    • Size

      893KB

    • MD5

      f0f73959988dd4d41de1445fb9075b6f

    • SHA1

      a39d5fe0e269c062c1b7c64be09db16508f6cc4b

    • SHA256

      f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85

    • SHA512

      bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c

    • SSDEEP

      12288:UMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V94vFUNDasQ:UnsJ39LyjbJkQFMhmC+6GD9AFOaP

    Score
    10/10
    xredbackdoordiscoveryevasionpersistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      AntiPubs Dork Searcher EZ/War.dll

    • Size

      50KB

    • MD5

      b06ab846e14c6dfe0fbd20ba0e62e56b

    • SHA1

      7d8c051da3c25530c5659a0e79c24ef430d8e07a

    • SHA256

      76ed40d5774a0167e2a111e7a4e90d346aed800c38e4980bf38d9e3deadb14e8

    • SHA512

      d9483f6a2143501bc1e701dc9e22d25aa1b68e9ab570c2bb15ceec8fb4f47f9a4c831c936746be0e00360a0ebf866b193fd91efeac53513966c8ec40fc97e266

    • SSDEEP

      768:0h8Z7aIZfqp1NQRSApggn5kI7FaQB1GiwOv+ay:28ZGufUGagn5kIZaU1GK+a

    Score
    1/10
    behavioral25behavioral26

    • Target

      AntiPubs Dork Searcher EZ/searcher.exe 

    • Size

      6.8MB

    • MD5

      d4b43b2ce490d8786ccde6debcad2251

    • SHA1

      e88d0c6b5c336ee7c03e145532a6ce44db28af90

    • SHA256

      3aad4931bc76e1d654e5fe3fc6a1a10277b0d66190a8547782a3d7fa117ccc27

    • SHA512

      8bff940911e750f06c76c724b92de0753f4089d92f95e5d3d3659de3869a91908c6de25e480a0101d8149fcc881b71f585c39a2e9206393bb89f1f5e43bdda46

    • SSDEEP

      98304:pyldpqU5s+h9oK4MtPSXDjLWdNo/v5LlCKly37gjA1tCJa8IRku6Fml2:pyldD5smuMQDfUi/vXgIa8IRkZI2

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      AntiPubs Dork Searcher EZ/x64/SQLite.Interop.dll

    • Size

      1.4MB

    • MD5

      7ba0f41c37f7835094d4bd1aef92eda4

    • SHA1

      81af2d7ffec9d99fc0f54ae765fe8ec8f32aacf3

    • SHA256

      9db8e965935be690988bf290ac11b01ce5508adb9945b4bd74f033a178f40f06

    • SHA512

      9ed64c83222007e8ace264c930606e861ee05c53f2d0b5a6c252c116a2426dcce7929ced0c0ffc4d260b3d440619e31e8bd3e0a77a8b5f7fe7ce0e81e4cd621e

    • SSDEEP

      24576:oxvuMV4Y/rHl2MY3BoBBWz/8BkCXCU2zSmM:Y/roMSoB+EmCXCUe

    Score
    1/10
    behavioral29behavioral30

    • Target

      AntiPubs Dork Searcher EZ/x86/SQLite.Interop.dll

    • Size

      1.1MB

    • MD5

      544ef841728185f7a4766e5f12b290f2

    • SHA1

      744c3032c5d6b2bce2883a9f937ac1f4d941da00

    • SHA256

      2fe073d8b5b42f18b4009340538148b12aed7e4903c6a62822f7cedfb558fa8b

    • SHA512

      65201c85e7fb7adefcd57692fd68dd5625c88a58d59c8344c29d8f28255d173bfe8846e794bb9a30c8f9e0599f38dbf482fe5235431e1c4e86b86a78bc1203fc

    • SSDEEP

      24576:7VvYDXUSpZtNn0kzPp/nAsHi7fjkBl5u:7IXUkW6o

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

pdflinkxred
Score
10/10

behavioral1

discoveryevasionpersistence
Score
10/10

behavioral2

discoveryevasionpersistence
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

xredbackdoordiscoverypersistence
Score
10/10

behavioral16

xredbackdoordiscoveryevasionpersistence
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

xredbackdoordiscoveryevasionpersistence
Score
10/10

behavioral24

xredbackdoordiscoveryevasionpersistence
Score
10/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10