General

  • Target

    JaffaCakes118_7e8e67a93443ca5c5d3cf22e884eea3d67dadf685a74eaf02e7ca6b25aac62ef

  • Size

    8.1MB

  • Sample

    241223-zb5v1szrar

  • MD5

    56d6e8df5b9d26878731473094326d37

  • SHA1

    059d5bf20f2322fadbf6316fa220dece2a0c45d3

  • SHA256

    7e8e67a93443ca5c5d3cf22e884eea3d67dadf685a74eaf02e7ca6b25aac62ef

  • SHA512

    cc481b562ba8dd0e1f00ea2e6facd5bbad39acee59af906e6978514351805e807077f89da0601b763e00c825fdd6abba099eb63fa9190fd9321ab6d0b8782be9

  • SSDEEP

    196608:1tSgx8MklBkCrQaao8lNc94m3r4kZBXqmS6doconxAgUhCKchh3:ugx8HdaokC856doDAgosX

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

    • Target

      intro.exe

    • Size

      144KB

    • MD5

      573a20aa042eede54472fb6140bdee70

    • SHA1

      3de8cba60af02e6c687f6312edcb176d897f7d81

    • SHA256

      2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

    • SHA512

      86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

    • SSDEEP

      3072:JAJxsr//OHTE/CJ+juuVSpiVyzwLe/Nv0s:C3FJKuuV+lv0s

    Score
    3/10
    • Target

      keygen-pr.exe

    • Size

      1.7MB

    • MD5

      65b49b106ec0f6cf61e7dc04c0a7eb74

    • SHA1

      a1f4784377c53151167965e0ff225f5085ebd43b

    • SHA256

      862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    • SHA512

      e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

    • SSDEEP

      49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1

    Score
    3/10
    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    • SSDEEP

      3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio

    • Target

      keygen-step-3.exe

    • Size

      703KB

    • MD5

      ce25ea56c3e9ca0450231b86fd5ed130

    • SHA1

      2aec772872f0b6ce2dab37471c00a10f03abec8d

    • SHA256

      7f196afb312961e4c89fd07e3222b5b721e6ba9e00379f4faa141f113cb75059

    • SHA512

      a1b26d6da749e29187556668d61914afa7688a1e6d1616ef8d69448584c5b1e02fc1188cd1d23cbc3f0b347e9c01184b263fbb175d9b55ded2fcca0b75ae755e

    • SSDEEP

      12288:kFMlFF44Suza/MAzG4HmVqGZGkVT8T4CJi89SaHp93JcGvlvshxTmT+lU:gvnMcmq8GkVgTZJi89Sy9Z5vlvIa+l

    Score
    3/10
    • Target

      keygen-step-4.exe

    • Size

      5.7MB

    • MD5

      4d5fdccc8008f4da22d1341baa275ffe

    • SHA1

      89f493c70474de63eb80ab32e00bc0781c87d84d

    • SHA256

      e8f5a52c3a638b81df8329b8862d9389714c41107ae41cf803fb9a45c4858592

    • SHA512

      6145556d0c8cb765f9f3e028e6ec280c0385baf4439f82c2eb458fb8b7abaa4e7ed9a9bc26c090266c3a5cd34076117a37c7ba571c3b916c7bc81ae08cd15cfb

    • SSDEEP

      98304:Kyp4VBxIJhMRJh66NK82XKJXAbqw6mI1YTmAPMgWMriGay+2lFDDzAMA9Z1mN:KzCJCJhxN726JXAbqwc1YTSg0j2lFXXZ

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Ffdroider family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      keygen.bat

    • Size

      146B

    • MD5

      98ee725f76d72ee9e9899a3fab9ba23b

    • SHA1

      45c34541a5b0aa0bb99043f6c39f49605ec4ebd8

    • SHA256

      ce6afc9a209c23efea91c9ce412abd19b882c1b3ac93fd26ed746eb05aebf2ff

    • SHA512

      369176b70962b18910fcbb876945873fcfb9bb251e845e3e601d38b38f3998c1808f45796be01eb5a6ccc585b2533bcf2c4d1d3e2fc63fd4fabba31e3b8c5b06

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Ffdroider family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      user32.dll

    • Size

      1.6MB

    • MD5

      634fbe95ea4ef2e799b3d117dd9ec52e

    • SHA1

      09533551abefbc922b87d1c2553329abd328c387

    • SHA256

      1ba4bc4f000dd9263307357ffa42d83eb01f59bf28aec16ef2eb74e24683412e

    • SHA512

      7d3857623c2d6806ed56e436fba2aa72ee57978ed8261894c3d7bb97a9f747d87866ca1dfaa2bc21ea22de1544fe7daf223565b7f16d894d02219ea9a690b7cf

    • SSDEEP

      24576:77hFCFHT0vzImKVsVzuJJBwuCx59U4IgL5pz1:P6STzwJBwuOTU4Ia1

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks