fabookie | 33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95
Size

5.9MB
Sample

241225-qwg51strhl
MD5

67d4a8ca3787d8c5971f41705dbc7580
SHA1

310f453626a240b6c374068a61b83337ea070a23
SHA256

33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95
SHA512

3712ebd6772d997c61d0450be8b9be5ab2b1b9cf5b234e4603e51f7b17223b0d110daeb46bf31004b205c54c0acfe96c56f5cd21830a97a27a1ae75508215382
SSDEEP

98304:DZnGeMZ7Jwl0XmqXcgaJuzS+TPcxXAJOgceUNCqIclfiuVKDRR8En7PUORKOxLBm:D/MZ7Am9YuvExXkOeUNCq6ug78ORBxLE

Score

10^/10

Malware Config

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Extracted

Family

socelars

http://www.chosenncrowned.com/

Extracted

Family

nullmixer

http://raitanori.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Targets

- Target
  
  7zSCD97F9B7/16409730233472.exe
- Size
  
  40B
- MD5
  
  e8a679c378fb265bd3bc8c601240edac
- SHA1
  
  6b114e5054f7a7127f820ce5652e32d4b576b0c5
- SHA256
  
  f28881e775b7cbf7c354595d030d30ae56d7b868d09ba8c68b67df0aad491f0b
- SHA512
  
  1cfe633dc25b4a227337f0ad34d052bc6e3fb4d3cbe5f5ec3164dfa05342095078770cc86c64f5d5816b3fa510e7f8525fd5ed62e84e450f68d636bc43ae91de
Score

1^/10
behavioral1 behavioral2
- Target
  
  7zSCD97F9B7/16409730238228.exe
- Size
  
  40B
- MD5
  
  0fe55c3bcc27655fc43f0a42fdc68cda
- SHA1
  
  e3c7acd5e08a3577151ec30080abb0009680fe71
- SHA256
  
  df90bdd412f26707ab8169ede1a787a2a46f82648308e1b9e6c25b05f3035e2e
- SHA512
  
  9a12577557cdabacc4499410fa7629be5526efebe19295ee2aeed0700adb865b9ff9f663555ae48801ebcb7608f893e5b17fda809985e34d4940d158b22ab9e7
Score

1^/10
behavioral3 behavioral4
- Target
  
  7zSCD97F9B7/1640973023982.exe
- Size
  
  40B
- MD5
  
  aab990c9dfed46b40e1ebd459535e798
- SHA1
  
  06aa7cf14236e5025d6dcf17e51e9e12862ed36b
- SHA256
  
  076152aeb4ddc8ec4365d5dbc69e6aae5a72f885f13358412614e0244663fb33
- SHA512
  
  a220891c1bccf10a93e9e756a22ec641bcdd58a48fd2b6a43b2230c23e59e35cdfcd716aad163b0b69180791ab376b57f09b214ec397623da741b11ee86b2353
Score

1^/10
behavioral5 behavioral6
- Target
  
  7zSCD97F9B7/61cf42cab6116_Fri1740da7b7c.exe
- Size
  
  124KB
- MD5
  
  b6f7de71dcc4573e5e5588d6876311fc
- SHA1
  
  645b41e6ea119615db745dd8e776672a4ba59c57
- SHA256
  
  73437218cd12895c7a59c0c03009417705ed231d323e3a1ad279750e46bcc8ad
- SHA512
  
  ca297d40f0e2cc45d5737627a1aaeec61bf7c6f425acadb14e689b4392fcc4a17e74dc1514fb3bf8d9a6a91b5cea38801996a2a7ee2dee0c335bfb2f103c6d42
- SSDEEP
  
  1536:cqTAZ3SbqVbJhTlNFsV7mt7F/E/8ZhtaOlrttD9IpqN:hu3SuVbblHzcwtaOxttDepqN
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral7 behavioral8
- Target
  
  7zSCD97F9B7/61cf42cc94cfd_Fri174cd2108.exe
- Size
  
  1.7MB
- MD5
  
  99918fe3d5011f5e084492e0d9701779
- SHA1
  
  55f7a03c6380bb9f51793be0774681b473e07c9f
- SHA256
  
  558a67043fbcd0bc37d34c99ff16f66b259b24b44811516ceff678964ec655c4
- SHA512
  
  682f1c6c648319c974e608defa41b714d0e8c3670d3f5e669b7227aaf5400285f9f0c6c5c82c50518031d8a93a3cfd591031651068d5a458a6606f2bf51d3e12
- SSDEEP
  
  49152:C9xKxz5eM8JvooqXrFzYA8hVU2AGm63yjpGIcLJjmvQGpf8:Mxm5eMOooqhomhjrcLE8
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  7zSCD97F9B7/61cf42cd9d3e3_Fri172b3fcd2f5c.exe
- Size
  
  136KB
- MD5
  
  14d0d4049bb131fb31dcb7b3736661e7
- SHA1
  
  927d885f395bc5ae04e442b9a56a6bd3908d1447
- SHA256
  
  427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5
- SHA512
  
  bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994
- SSDEEP
  
  3072:eC34O4F/ZhJ3br4VkSlXWoQY2FRNu5UWzvzH9WHAz6ZS5:ToVVb8TfQYERNu5UqmE
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral11 behavioral12
- Target
  
  7zSCD97F9B7/61cf42cf81412_Fri1748d73b51.exe
- Size
  
  1.4MB
- MD5
  
  0a058a7671659d7864802f509fee9478
- SHA1
  
  7eb76e6b0e58c2bfc685644b3bf93aafab3d1900
- SHA256
  
  0fbfd4aeeda37b64b59ed22d85e7253352b3ae930726f073cbd36998f98c8a8e
- SHA512
  
  31e59a18b2b75e72f8db422279f324a674d41ca554c46f683496196d5003856d59f74e5ceae0a667e7caf3b9875015264ee416b3ee51e16d4ddc8856f6c0aa88
- SSDEEP
  
  24576:Qvp1T0ZhIjR+IXbtCOEqmb3tUJoEYdG/9QDMbh7zXIqmjvLZL:+pCuZ4OuD4+AhzXIqmjjZL
Score

10^/10

socelars discovery spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral13 behavioral14
- Target
  
  7zSCD97F9B7/61cf42d8cfbf4_Fri175590209.exe
- Size
  
  178KB
- MD5
  
  f8c7d533e566557eb19e6a89f910ab6b
- SHA1
  
  a225ef1c22fcd29562bd5f8a2d0da3969a5393cb
- SHA256
  
  697949b98fd6207152522f27bcfea3716c336a8cab81751738eda59fd6067dee
- SHA512
  
  a450548c41c45955206459d58f712284b4589bad7a93d9a6c98c5cd0f1f48cb66ee56cc2568e5dfd1fd174fdc6fa4bd249f5b1c9521dc018ec5b90718d0c97b1
- SSDEEP
  
  3072:+aU3o2140NKteqz0d6EPMGz9tEsyyyyyhxxxxi+ElqRKbCG:vU3LTNgeqk6EP/pIxxxxj
Score

1^/10
behavioral15 behavioral16
- Target
  
  7zSCD97F9B7/61cf42d96bbd5_Fri1768e6cd.exe
- Size
  
  8KB
- MD5
  
  d7f55160e4884c2917c39d3ae7f618b3
- SHA1
  
  b8b48396d98f492c98f8c5f9ca88ef32f9d47033
- SHA256
  
  4b8d0340ceb7fe26b41c04c590bb68791865274132f73b0cd59265f3c63d96c8
- SHA512
  
  af49101f633a964b54fa3e8baf2d97bc0cade00f5087dd51b1b281991f808a82359664b36e3450662ff3fbd5ee9dd6ccebde547d14f15ee09ffee909124544a6
- SSDEEP
  
  96:MJOunDNLXqqCWV2sLZSukdrKozt1HfWP5KczNt:W2qH3LGr3H+Im
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral17 behavioral18
- Target
  
  7zSCD97F9B7/61cf42da3aadc_Fri1749497d9d.exe
- Size
  
  1.1MB
- MD5
  
  aa75aa3f07c593b1cd7441f7d8723e14
- SHA1
  
  f8e9190ccb6b36474c63ed65a74629ad490f2620
- SHA256
  
  af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
- SHA512
  
  b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b
- SSDEEP
  
  24576:E+s0inmEeXkaagbiW4BHDV2PiayiBgy9FFF:E+3uQXkaKHDIPi0B
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  7zSCD97F9B7/61cf42db8e020_Fri179863c92d69.exe
- Size
  
  1.9MB
- MD5
  
  1a834bf6d259babbfb8f84a40c30cee2
- SHA1
  
  bac32a006f8451b5e5063e12dfc3a27c44dd79db
- SHA256
  
  1604a4cccddecd3d488d6ede5f4040b3cb95e5d76385cb0be30cb7f8e1a380b5
- SHA512
  
  9e4e5feafeaff5695486a226fe4b302a5b4ab484e4fb96de2bb2ffeebba8f65f782283994a6409a4d36005edbf810c94f6258c4118d7facda0273a85dc2afba1
- SSDEEP
  
  24576:YLeTtjJFtHrKCeZEnvjEgbnqpZamVkfj6eR0DNk4pbAZXY1pokix+8bdmS5:YLYkCcEbEMIZa5fMJkCQYwkirbMS5
Score

8^/10

discovery
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  7zSCD97F9B7/61cf42dc105f3_Fri17e8bf67cf5c.exe
- Size
  
  123KB
- MD5
  
  550df332f73bf3d4477a7db99407bc25
- SHA1
  
  b1d3d4b2119195163d9ca10dde2c86f16ad6a45a
- SHA256
  
  cb17edd2f1497ec1f54b46d1aa36227b2d6b7a856f3e28771e3aee5e855485db
- SHA512
  
  412456d898f92c540b8f243da445466f4874c4f502ee886209186171a7e6e7725e8bfaa2880d0698b783a76a8515b96c822d5333446ac5af2cd953e58e042b6e
- SSDEEP
  
  3072:MVcsnNYPnMBRrxqcC/sivuwCmFASKx45LfANZn9KiW1p:XvMBR4ZCaAxiN7p
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral23 behavioral24
- Target
  
  7zSCD97F9B7/61cf42ddca121_Fri1754a29da57.exe
- Size
  
  339KB
- MD5
  
  c6ba95e6a2570df9355492eedcba2692
- SHA1
  
  cabb84ac43c787653803d539c4c11e98f0216977
- SHA256
  
  d1ce9967a983bf8a13464a30145ea9acda0810f9fad52990e96e6d6fda6c3299
- SHA512
  
  6c3874e0f033f00ce9e9451abc6909d88f4e629790a6dba325f4568e29b3d3e1c121c357367833503699f065d5d9d7e064853ef6f4bdde0ef8290979daf26f3f
- SSDEEP
  
  6144:f7ag7wGLhJvadhZIV8urx/Ybt+34cRAOaHkIehGoE:f7p7wGfydhZIV8uF/Ybt+3sOaHEE
Score

10^/10

smokeloader pub5 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
behavioral25 behavioral26
- Target
  
  7zSCD97F9B7/61cf42de1af96_Fri179a299200.exe
- Size
  
  133KB
- MD5
  
  60d978d30d2cf2aa9746b234a60f0ae1
- SHA1
  
  c7430d8368ee53f480da4e38d2ad4601ea1ef4fc
- SHA256
  
  55bfb169b4c4848c7e080f9a73fd59410915acc5366e0f92f7c47a767a5a6a51
- SHA512
  
  716f78e9c9a69a4500be51e7c5dc28cb88f08bfc6188c93df9710944a8991224e634cf038edc9dfa2125feb7e060c48b7f9adbd8225c03241c07a52ecb433e14
- SSDEEP
  
  3072:3FVEERFVDyqi8ujL30J5PTXw1RLpd5lPkLnoek:3FVEERFVDyHo/Lw1RPsLn
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  7zSCD97F9B7/61cf42df34a5e_Fri1721957b061.exe
- Size
  
  2.0MB
- MD5
  
  29fa0d00300d275c04b2d0cc3b969c57
- SHA1
  
  329b7fbe6ba9ceca9507af8adec6771799c2e841
- SHA256
  
  28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa
- SHA512
  
  4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411
- SSDEEP
  
  49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb
Score

9^/10

discovery spyware stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral29 behavioral30
- Target
  
  7zSCD97F9B7/libcurl.dll
- Size
  
  218KB
- MD5
  
  d09be1f47fd6b827c81a4812b4f7296f
- SHA1
  
  028ae3596c0790e6d7f9f2f3c8e9591527d267f7
- SHA256
  
  0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
- SHA512
  
  857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
- SSDEEP
  
  6144:Kk3jgivfCVSRrLV7yAVzKZIjCbanUKWw+ba//PXHUo:30iH0iVPVzKOOunLWf2//0
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Socelars

Socelars family

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

SmokeLoader

Smokeloader family

Detected Nirsoft tools

NirSoft WebBrowserPassView

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32