General
-
Target
JaffaCakes118_5159ddf4335b0e93e4b265d03549ce64d2e20081941de194f88b0ad81119d53e
-
Size
9.6MB
-
Sample
241224-yxdg8awnbk
-
MD5
4b234d2532387c31344a285a8c03fe8f
-
SHA1
68743d269f02669f473cc74f0b09fc0f4b1032c8
-
SHA256
5159ddf4335b0e93e4b265d03549ce64d2e20081941de194f88b0ad81119d53e
-
SHA512
32ce72e4e8110b26ce7bd49ea62865282bcfb827969315705ead6dda56990756a52847635070bf730cfd4d13e978cb690b2fecb3ec83beae5c86636d202a46db
-
SSDEEP
196608:2bU+a6oj7hO5uXv74oHvCyqorV7pivZ6VlDTZ2TUBafpxsP0+:2A+89X8oH/504VlDTZ2BfLs8+
Static task
static1
Behavioral task
behavioral1
Sample
817.exe
Resource
win7-20240903-en
Malware Config
Extracted
redline
UPD
193.56.146.78:54955
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
metasploit
windows/single_exec
Extracted
ffdroider
http://186.2.171.3
Extracted
redline
Build2_Mastif
95.181.157.69:8552
Targets
-
-
Target
817
-
Size
9.8MB
-
MD5
724f01298e921f1f7362af6b1bc31642
-
SHA1
e892f38da2f930133cf67533e592ded56b7d6154
-
SHA256
8174d7d1e9ccf99d8a0164e39dbb7df725cbd710cf2f611d3ca4f2fdeb434535
-
SHA512
ee276907cf9d4a0039d3c0affdb318bf08c1b265f4b454bfc9459a923428e701efeccbae1d88c40e2bbc56e05602289aa7e142f7193f39ec4e20bb2fcb4f0953
-
SSDEEP
196608:PafYtJ9mT5kszFw1d4zZkxaZzDaC0b8LP3gt82xHWPM/SJrUliFGpKERxRE50:SCJ9E5kszq4zZqwzD30biPwzUPZUliFm
-
Detect Fabookie payload
-
FFDroider payload
-
Fabookie family
-
Ffdroider family
-
Glupteba family
-
Glupteba payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Socelars family
-
Socelars payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1