General
-
Target
JaffaCakes118_6ed51ee33a2ee2f7a63e23c9fb7086879feb2ba26f203885a44d809b8452a464
-
Size
10.6MB
-
Sample
241223-y34llaznaz
-
MD5
3b31347255f5e61bec01ff4fb2eba5eb
-
SHA1
1dcccc78ea9ec4ee00f92fa9044247820d484638
-
SHA256
6ed51ee33a2ee2f7a63e23c9fb7086879feb2ba26f203885a44d809b8452a464
-
SHA512
9b2b26218eb871465de893c413a77bd141289972b83c9fe70dca7e65b61c9350924e91528272ce05c92290252c44a32b87cdfdaad202cac6d7ef053d5bce7f0b
-
SSDEEP
196608:eVGPZfdhx7Q0I11U6Ge8qJen47uk6yjtH0KkQSTY4:eGnM0EG6Je47T6yjl0KIr
Static task
static1
Behavioral task
behavioral1
Sample
65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
socelars
http://www.ecgbg.com/
Extracted
redline
media23n
65.108.69.168:16278
-
auth_value
187686d42fe6990103297406a32ce4af
Extracted
redline
user01new
49.12.219.50:4846
-
auth_value
fcca1ed5af8553053dc74a4c6a9ce601
Extracted
metasploit
windows/single_exec
Targets
-
-
Target
65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e
-
Size
10.6MB
-
MD5
2d31d4fbad1650ec69c899a5417de3dd
-
SHA1
621ba6e8907e372798440d711126f0b0a0d8ce2f
-
SHA256
65502a1c719e5ad252a349d9f5b278a415a61f88e8c049d5ff8dc828da36ad7e
-
SHA512
ac21c3aac43864449e0c135e9466bd368fe16131ba9bd54e754c22410d2b325f2cc525c33509c7fbab5d480d36833aa3bb08d470dec37444fbad5383e362c361
-
SSDEEP
196608:xYLUCgA7XFU7WhMld/UnPejgM4YdJUB7vLzaDBuCUfvpQJfB/0Do05kWgX0q:x0dgkXFU7zCnPUgM4WUkBqRQ/BTkq
-
Detect Fabookie payload
-
Fabookie family
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Socelars family
-
Socelars payload
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1