General

  • Target

    JaffaCakes118_4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a

  • Size

    8.7MB

  • Sample

    241225-b33yqstlcy

  • MD5

    5eb1036bb35ae755376ba3d22001e238

  • SHA1

    d72bdb22a8d47fa3d50a25ff9704feaf1393a8cc

  • SHA256

    4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a

  • SHA512

    9215f3fcf99d9f2ee43ef6e552123128520e2601bd17f664385bb01f050b4ad8fec7ad9316967a359ec79c404cc911a5d3861634310e116d55930e5aa97baecd

  • SSDEEP

    196608:2sNwxyEw6x/zafOHy/8di4tBgTCuPTRjt4zmII65yQWK3esMyir7S3C2Y8JTW:2eqyP0/zamHZU6+Rjtsm165JeeirmS3

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

gcleaner

C2

37.0.8.39

31.210.20.149

212.192.241.16

203.159.80.49

Attributes
  • url_path

    /software.php

    /software.php

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

raccoon

Botnet

8a83f2689674308992d5090432708aae

C2

http://91.242.229.166/

Attributes
  • user_agent

    record

rc4.plain
rc4.plain

Targets

    • Target

      7zS8A52FD1B/62a1ea227dc1c_17ee33ef3.exe

    • Size

      157KB

    • MD5

      13fd49b3e1c7abe59a321d34a983fa1d

    • SHA1

      d68d156faa3dd348d89064c1b5026990b25d9c73

    • SHA256

      9542ce09286e69fe0a1270f0b017639139ece09287496dfe07b7c44ad897c476

    • SHA512

      ddd506fda604e68063268d644963650bc3e0fe987f59c52a08ed2c82ae5dedce1789a378645e8f7f851c74f75b8ee8ed80efb2c0c00ebdb6bfa5933d8ad0f4b6

    • SSDEEP

      1536:xoMuhIJR1pTAco0UVi9P9z9Fb04gpmWjZlv8gogqrxMv:SyA0+KP9x504gpllEgOxY

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      7zS8A52FD1B/62a1ea23342ae_c77562.exe

    • Size

      242KB

    • MD5

      2db62b3e5088b61ead161e0482b2f6f2

    • SHA1

      a13b707e24ae6269631ce1099263cbc793f4b2a1

    • SHA256

      c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3

    • SHA512

      9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774

    • SSDEEP

      3072:LyNmHuLQGp1UZrvGclc9IkKU8enb53svodWYkLlMYSoJ7iNE:KSFYIj2b+BYAMAJ7iO

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Target

      7zS8A52FD1B/62a1ea23da745_6e68c9a.exe

    • Size

      312KB

    • MD5

      0cad21764fe956f3028096ff3ff37549

    • SHA1

      09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

    • SHA256

      f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

    • SHA512

      4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

    • SSDEEP

      6144:ypW7afwwJWPtN8bQITbbvLfL7C+E32tVEPv:0JUtN8bHTbvz7C+EUEPv

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      7zS8A52FD1B/62a1ea243386e_a4f8a5d8a.exe

    • Size

      1.6MB

    • MD5

      cc75df8a243cb6e1da5fadcd7c4a8c22

    • SHA1

      ca94e6e283dadf7833e780cf8924a30012ed1b08

    • SHA256

      c3e36a105ba6e93adadc98a053af88c78cdfe5c2936ced3766c4cfcdabb6d91f

    • SHA512

      a801f713ed7ad4ffc7daa878585ea2992563407ce19f3e23b2a8c32a1f488e7848eb86c022d6bda0c7e02fdbf8b4c9f88c53aae5626fddd29a63e16d72ae63f8

    • SSDEEP

      24576:IS4zsuLdn+4/xa0LGqMZVdq0+HEOpAV+fBVIyzX1qYDfaPPwpEDSMEv4MoQwSyqF:Izu4/xa0Ervq1JVtlVOmonVq5XD

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon family

    • Suspicious use of SetThreadContext

    • Target

      7zS8A52FD1B/62a1ea2501f48_0371f5.exe

    • Size

      173KB

    • MD5

      72968341a0de08313bc9ab626d212f91

    • SHA1

      f893e4510e600ff3b6d33cea85571fa26c270606

    • SHA256

      ef9863d5358896238ef682130b38511033fd9f14354263326dd000b39358c4b4

    • SHA512

      1fe2a7a5fc1e32d4a581efd8148b66525adf3249c02fe3811b24f620c1e3c8af926cabca5ad07d59740e6480a0cb3833db87cc2354ac22cbade57924eaff6346

    • SSDEEP

      3072:vEvswXh+XQDAWr1do5L3sGU7glVtmX9MrpiT:cvXh+AsWYxsGU7glnmX90w

    • Target

      7zS8A52FD1B/62a1ea2a20759_b7a66dc968.exe

    • Size

      1.6MB

    • MD5

      c4bc22a23300c3e7db1fae03e00610a5

    • SHA1

      0f8d2471d510434d0338fa204c7863a5a6e17190

    • SHA256

      d866f133333b259ea1aaaa838bd6f26a28798d440ce4531cd90b0497ea92d869

    • SHA512

      fa629c9f18ff2cfd07c4da7065a544d84b4dc823c8b542863525eafcf9ad62a74f5f1fdbd6e1f0609135f258b0ffe01b136b614e8bd0d669d0a5ea4052bd3fc6

    • SSDEEP

      24576:IAOcZwXYCK7Y8YO8BTZqQtraKaNiFIGoLsItGxeTqHvveUBym:m7MT89Zr2zuNoLtQxeTqvv

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      7zS8A52FD1B/62a1ea2b65292_c4804f5141.exe

    • Size

      288KB

    • MD5

      f902561ae91aad8b234cddf38401cad1

    • SHA1

      cc3e9aadce50c820f147b194ba558b2abf25c16b

    • SHA256

      6bdf30e72d6f74a83a5ce0a84202aab030db0ffd61850fe9154eceaabc282e65

    • SHA512

      c9170b3f855f2721c3f713776b65da69ac51ddf9109fa4a2bef18174ed96cbbb7c9faab5e57f44347a85d8a6b7d8e5958a23f4e19db5209fda4ea4860f5abd30

    • SSDEEP

      3072:R+/i4EOpQnGVgi0DY+enMi8Qd0pRfI7aR+RLLMfppro5ydpjYUxGQ5:D4nVd0MMi/Gp2+R+RLLMfP0QpjYUsu

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Target

      7zS8A52FD1B/62a1ea2d09364_3056ccd.exe

    • Size

      3.7MB

    • MD5

      e77f09a338e643ee05ad09e367eedf73

    • SHA1

      6777cd291ece93e16aa95c3e60b63d46b1b142bd

    • SHA256

      f32c3414f14e0b4c08183af08702736a2ed18c99101d5ee1bc5bc5e8ee3c8982

    • SHA512

      53f59267e4bfe862e51edb0fd7d356485a7349e7ccd6439c6c88bda921a67909a36efd1690d06fe3c30c8a4433d5c4c1a34c30b928cb29ec45b08045ef4f5747

    • SSDEEP

      98304:cTuZYsUpMZzlBC5ngscs0r0aAcsiddcE:Nb8KByng80gt

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      7zS8A52FD1B/62a1ea2df066e_add786971.exe

    • Size

      172KB

    • MD5

      fa026e2025aee68f7a28808eba6f09af

    • SHA1

      28033d304e34b1989d6e6214f962b937f7359856

    • SHA256

      06760e7403eeb738fc2cd8c2c9d1597ce9628294332aa66d85f6630659a2486c

    • SHA512

      8b206e0ee721a74dbd5f6da921f3e7ed176c048e4814768b5c620c5e90581e7d0279d2603033f5cc98917ad537a87ec459a39f057c8e2beb8d7204e282c2f038

    • SSDEEP

      1536:BgNCgaC57gj3z3FL92Qwo5IUJcmH9y9gFtBP51/gpWDtHEOrA3z:uND570j3FL9rwo5r3H+8HgsDd7y

    • Target

      7zS8A52FD1B/62a1ea2f0beee_36a9ec29c.exe

    • Size

      752KB

    • MD5

      900f331bf9be262f435df1bb572ee038

    • SHA1

      637b3346cb8fd3f415de6b2b14b0dddb3f89df95

    • SHA256

      b1ac45bc5a2dbd25ad6ccf46f8162ee261796616169d9878924b36ae0c6313f2

    • SHA512

      f466cb8bee9911d36261fa230114b0edfb00c70cd256e4662781eaf5b6756062126afd81edf3618804e01c8ba8ff2fc3de6acde83c9528382248513d006ccdc5

    • SSDEEP

      12288:VQi3IG+zy2Ac6m6UR0IVkmp1hf39Wkv8xwJA:VQiYG+zy2AzHIVXpdUMA

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      7zS8A52FD1B/62a1ea2fb0309_1d35870d.exe

    • Size

      212KB

    • MD5

      8595eb1a87c49b9b940b46524e1fdf87

    • SHA1

      59622f56b46c724876fce597df797512b6b3d12d

    • SHA256

      77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

    • SHA512

      cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

    • SSDEEP

      6144:ZDSzP2zTFdXDMtNTVTK6cb5oW36fdaeSZC4:ZO2zxdX4tdJOdoe2LSZC

    • Detects LgoogLoader payload

    • LgoogLoader

      A downloader capable of dropping and executing other malware families.

    • Lgoogloader family

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • Target

      7zS8A52FD1B/62a1ea319013f_e64e1ff.exe

    • Size

      1.4MB

    • MD5

      72610bbb73a1f4d4e79ad7476a493ef8

    • SHA1

      d63fa30ab6d612da64da1ceb3557ec7d4270100a

    • SHA256

      fe3b8aa7ce7730aecb8f8477324fec6b024408fb335e3ce29ad9ec3b7f22bcaa

    • SHA512

      9ee12fb68a582f2d520840c06c454ebaefe24f5b02601f9438b093573e420864b2612139037d9c60f159ecc598b1558f8473d40b4ca9cbe5130145fcbed3b680

    • SSDEEP

      24576:k6pYjfuKDGp9FGF3KUK2pdAlLnbYt6GH7LPv1l1QUeRnHWON5bb7YrLs:TpMRGe/4ebLPv1leUQHXbb7iLs

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      7zS8A52FD1B/62a1ea3215fd5_67a668.exe

    • Size

      78KB

    • MD5

      923ba5913c151121517c52f609242616

    • SHA1

      7976305e7afb69e70cca1b29b3e9436b2cd08e25

    • SHA256

      5d4b830ec56d8bbfdb305e904e6c0f00fc1744a1c7c15e8c71265d08c3aa35e0

    • SHA512

      7e03947d789f40aacd131287d445d0e3dbe95e9ff1e6ceea211009c3424ae55884365119aa46e1bef4cc0adba108a036d9c3330ef6f3acf2f97e0f83f7a0a202

    • SSDEEP

      1536:6a9hRWNvAcqdJQG62hXkv09ADrXjJ85q2+3MbBvd2csWfcde20JxPeED:zr8v7qdJQGx/9ADrXja02VB12fe2WxGG

    Score
    3/10
    • Target

      7zS8A52FD1B/libgcc_s_dw2-1.dll

    • Size

      113KB

    • MD5

      9aec524b616618b0d3d00b27b6f51da1

    • SHA1

      64264300801a353db324d11738ffed876550e1d3

    • SHA256

      59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

    • SHA512

      0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

    • SSDEEP

      3072:nti6N0WeF35Ro7hAWP6cagLSuf6LG3qSbKE4M:ti6N2F33wGJVuHuE

    Score
    3/10
    • Target

      7zS8A52FD1B/libstdc++-6.dll

    • Size

      647KB

    • MD5

      5e279950775baae5fea04d2cc4526bcc

    • SHA1

      8aef1e10031c3629512c43dd8b0b5d9060878453

    • SHA256

      97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

    • SHA512

      666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

    • SSDEEP

      12288:ZGRoW1chMjnv+gvJhb6bmpPSmCnh4o0v4Mc2jTrKoDSwq/3PmkfT4CmwcMcP1uE:uowcmBhKmlC4o0v4k1

    Score
    3/10
    • Target

      7zS8A52FD1B/libwinpthread-1.dll

    • Size

      69KB

    • MD5

      1e0d62c34ff2e649ebc5c372065732ee

    • SHA1

      fcfaa36ba456159b26140a43e80fbd7e9d9af2de

    • SHA256

      509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

    • SHA512

      3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

    • SSDEEP

      1536:xPCESXKWzkxTz8uLfdkWr2sUX8YNKykl1wwwwUXrMZE4cYdz:x6baWwxH8EzSHYZE4cYdz

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

agilenetvmprotectaspackv2redlinesocelars
Score
10/10

behavioral1

discovery
Score
6/10

behavioral2

discovery
Score
6/10

behavioral3

redlineagilenetdiscoveryinfostealer
Score
10/10

behavioral4

redlineagilenetdiscoveryinfostealer
Score
10/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
7/10

behavioral7

raccoon8a83f2689674308992d5090432708aaediscoverystealer
Score
10/10

behavioral8

raccoon8a83f2689674308992d5090432708aaediscoverystealer
Score
10/10

behavioral9

smokeloaderpub1backdoordiscoverytrojan
Score
10/10

behavioral10

smokeloaderpub1backdoordiscoverytrojan
Score
10/10

behavioral11

discovery
Score
7/10

behavioral12

discovery
Score
7/10

behavioral13

gcleanerdiscoveryloader
Score
10/10

behavioral14

gcleanerdiscoveryloader
Score
10/10

behavioral15

fabookiespywarestealervmprotect
Score
10/10

behavioral16

fabookiespywarestealervmprotect
Score
10/10

behavioral17

smokeloaderpub3backdoordiscoverytrojan
Score
10/10

behavioral18

smokeloaderpub3backdoordiscoverytrojan
Score
10/10

behavioral19

discovery
Score
7/10

behavioral20

discovery
Score
7/10

behavioral21

lgoogloaderdiscoverydownloader
Score
10/10

behavioral22

lgoogloaderdiscoverydownloader
Score
10/10

behavioral23

socelarsdiscoveryspywarestealer
Score
10/10

behavioral24

socelarsdiscoveryspywarestealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10