Overview
overview
10Static
static
10intro.exe
windows7-x64
1intro.exe
windows10-2004-x64
3keygen-pr.exe
windows7-x64
3keygen-pr.exe
windows10-2004-x64
3keygen-step-1.exe
windows7-x64
10keygen-step-1.exe
windows10-2004-x64
10keygen-step-3.exe
windows7-x64
3keygen-step-3.exe
windows10-2004-x64
3keygen-step-4.exe
windows7-x64
10keygen-step-4.exe
windows10-2004-x64
10keygen.bat
windows7-x64
10keygen.bat
windows10-2004-x64
10user32.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 20:33
Behavioral task
behavioral1
Sample
intro.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
intro.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
keygen-pr.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
keygen-pr.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
keygen-step-1.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
keygen-step-1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
keygen-step-3.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
keygen-step-3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
keygen-step-4.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
keygen-step-4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
keygen.bat
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
keygen.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
user32.dll
Resource
win10v2004-20241007-en
General
-
Target
keygen-step-4.exe
-
Size
5.7MB
-
MD5
4d5fdccc8008f4da22d1341baa275ffe
-
SHA1
89f493c70474de63eb80ab32e00bc0781c87d84d
-
SHA256
e8f5a52c3a638b81df8329b8862d9389714c41107ae41cf803fb9a45c4858592
-
SHA512
6145556d0c8cb765f9f3e028e6ec280c0385baf4439f82c2eb458fb8b7abaa4e7ed9a9bc26c090266c3a5cd34076117a37c7ba571c3b916c7bc81ae08cd15cfb
-
SSDEEP
98304:Kyp4VBxIJhMRJh66NK82XKJXAbqw6mI1YTmAPMgWMriGay+2lFDDzAMA9Z1mN:KzCJCJhxN726JXAbqwc1YTSg0j2lFXXZ
Malware Config
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral9/files/0x0005000000018706-166.dat family_fabookie -
Fabookie family
-
Ffdroider family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral9/memory/2508-187-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral9/memory/2840-252-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft -
Executes dropped EXE 8 IoCs
pid Process 2252 002.exe 3020 LZMA.exe 2888 Setup.exe 2040 ThunderFW.exe 2832 md2_2efs.exe 2316 hjjgaa.exe 2508 jfiag3g_gg.exe 2840 jfiag3g_gg.exe -
Loads dropped DLL 24 IoCs
pid Process 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2252 002.exe 2252 002.exe 2252 002.exe 2252 002.exe 2204 keygen-step-4.exe 3020 LZMA.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2888 Setup.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2204 keygen-step-4.exe 2316 hjjgaa.exe 2316 hjjgaa.exe 2316 hjjgaa.exe 2316 hjjgaa.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hjjgaa.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
resource yara_rule behavioral9/files/0x0008000000004ed7-177.dat upx behavioral9/memory/2316-179-0x00000000002B0000-0x000000000030B000-memory.dmp upx behavioral9/memory/2508-187-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral9/files/0x0008000000004ed7-239.dat upx behavioral9/memory/2316-240-0x0000000000300000-0x0000000000322000-memory.dmp upx behavioral9/memory/2840-252-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LZMA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language md2_2efs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfiag3g_gg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ThunderFW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjjgaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfiag3g_gg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2772 cmd.exe 484 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 484 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2840 jfiag3g_gg.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2252 2204 keygen-step-4.exe 28 PID 2204 wrote to memory of 2252 2204 keygen-step-4.exe 28 PID 2204 wrote to memory of 2252 2204 keygen-step-4.exe 28 PID 2204 wrote to memory of 2252 2204 keygen-step-4.exe 28 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2252 wrote to memory of 3020 2252 002.exe 29 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2204 wrote to memory of 2888 2204 keygen-step-4.exe 31 PID 2888 wrote to memory of 2040 2888 Setup.exe 33 PID 2888 wrote to memory of 2040 2888 Setup.exe 33 PID 2888 wrote to memory of 2040 2888 Setup.exe 33 PID 2888 wrote to memory of 2040 2888 Setup.exe 33 PID 2888 wrote to memory of 2772 2888 Setup.exe 34 PID 2888 wrote to memory of 2772 2888 Setup.exe 34 PID 2888 wrote to memory of 2772 2888 Setup.exe 34 PID 2888 wrote to memory of 2772 2888 Setup.exe 34 PID 2772 wrote to memory of 484 2772 cmd.exe 36 PID 2772 wrote to memory of 484 2772 cmd.exe 36 PID 2772 wrote to memory of 484 2772 cmd.exe 36 PID 2772 wrote to memory of 484 2772 cmd.exe 36 PID 2204 wrote to memory of 2832 2204 keygen-step-4.exe 37 PID 2204 wrote to memory of 2832 2204 keygen-step-4.exe 37 PID 2204 wrote to memory of 2832 2204 keygen-step-4.exe 37 PID 2204 wrote to memory of 2832 2204 keygen-step-4.exe 37 PID 2204 wrote to memory of 2316 2204 keygen-step-4.exe 41 PID 2204 wrote to memory of 2316 2204 keygen-step-4.exe 41 PID 2204 wrote to memory of 2316 2204 keygen-step-4.exe 41 PID 2204 wrote to memory of 2316 2204 keygen-step-4.exe 41 PID 2316 wrote to memory of 2508 2316 hjjgaa.exe 42 PID 2316 wrote to memory of 2508 2316 hjjgaa.exe 42 PID 2316 wrote to memory of 2508 2316 hjjgaa.exe 42 PID 2316 wrote to memory of 2508 2316 hjjgaa.exe 42 PID 2316 wrote to memory of 2840 2316 hjjgaa.exe 43 PID 2316 wrote to memory of 2840 2316 hjjgaa.exe 43 PID 2316 wrote to memory of 2840 2316 hjjgaa.exe 43 PID 2316 wrote to memory of 2840 2316 hjjgaa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LZMA.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\LZMA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
6B
MD5e510f3bb7283cf47215df35439add757
SHA1eaca823484ca194ccbfa1337eb44c956cf63a951
SHA256d15d2a4684a8ee535d62b73e8484540398011b22448b194a96078366793b41f5
SHA5125d482d513187f0175057648d074458423f4e659e4a28cd86d371b3aa2b4b6bab2360d7c075b9b6adf2a9291134f16be17191ae69a632561cc6ee9e9c9532a04f
-
Filesize
880KB
MD5b887e4b50a3fe5a605c83c820dd67b24
SHA1b0778863f6308bb9f635becde5f73f2bd5a6281b
SHA25613228d769c1affaf05ea44b57f325e6e0096b4df76910770b17e1b68dc544bc5
SHA512bdcd189b5e8c95286ae1bf0846d647437c603ff96131c07bc24629752826c3d264645d701cf90328dfc8e54512607e1fba47449da471a65593325142a8a2be9f
-
Filesize
70KB
MD55a990cdf4b7a3cdcabaae5388f0924fd
SHA176281387b5ed37ad02ce0a7271aafa8a80b7346c
SHA2568573acbe4a1d445b8c840317e4efca5f91bdd9a5e89ca2b867629303e30ff9ff
SHA51265c6b0ea3c9059bc829fee93ae015041c9e9e0e691bdb9d38872b8caa828550e5aa329d2ee9434c377c5a99f2940e055e472ce3faa00423be9976c45d7914480
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD
Filesize1KB
MD594f70083532a6f2d5821123cdc96e92a
SHA1eb9d68e737ea1dc2dbf1b77970550fa913952914
SHA256291a077b01abb73b9bb60572bc636753afe6b91913f48b60ef13972c57d89cc5
SHA51239f8ef2aff8d58506bdf32df83fc2acf3cac4b01f83283179e501824f1d28dd30d5dd998f41a14d702d7ba32e8b7c2b037b6d61e9ae8f8ccb31ebe39eba17bad
-
Filesize
929KB
MD51c3d0aa0e3b0c41807d9e3c6ea59a6a2
SHA163fdf71787a437b1b7f1154f5709e9210e7e28ba
SHA2563864d472b74de062c95aed62b5c7c1ad1b8326a5bcaab643689bd6a8f0e24772
SHA512a07f6347059788a4f9d9b91b2a2ff4b508e8b6a7b03e095631193ae6234fe5b8bad1e86b5d3d47e831f28be8b1329317cb5b652769460a181188994d130179c6
-
Filesize
388KB
MD589266366e2c712e8b47b2b9ed30d60b7
SHA1a94bb0440fe6c0d7a6c102037561ffbe6203a251
SHA256f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0
SHA512385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95
-
Filesize
4.7MB
MD5abb1b1c39c77a70c945b14e6c2f6c0d0
SHA179173fbca719b59942a4e6f4d98f95a2b34fbb79
SHA2568fba8e02305e8cbf4e5543d290c99ecbe4abcfd7bc19de4942eed480674bae26
SHA512711ffe4d3ce8029c0bdfa7c65886944745e8274aa473806a07a90f2611e6e49d12df7bcdbf3fc33c5ff79707387a95a6c7fa1a43e3babd103355c86cc90813a8
-
Filesize
981KB
MD58af53f4e5da871815dfe4abf9dca59ad
SHA133a84ebe23a12fde1fabfaf17770c98a68f262f7
SHA2568de2519df91e2a3e430a5f0c721cea202ec6c66eb5f9ca7421cb510be469232f
SHA512bd3f286403b0431eb9c449580d1c247713a06a153c9875745aa4c886e8b436f343d698ac0416489ab2e7bf984527761ca5c7043750f820b8f634605b30fe0499
-
Filesize
1.2MB
MD56f2526fce51e5e85ee11b70a1dede810
SHA1c253fa096acef9db07b0c350cbb3182e475e398f
SHA256ef14baf16144bcce556e3bb56adffeb6584e944e473f03e57742201c7dc56043
SHA512276ea3ad9f9fabe5964efb868561f462d9b31c049e7baf720a471d387d116e013fd4cfc504456a35db8637f3fb8fc48833495db96385cf9a770a54f6b205c285
-
Filesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
Filesize
184KB
MD57fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
Filesize
61KB
MD5a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c