Overview

overview

10

Static

static

3

04cfb78f7a...34.exe

windows7-x64

10

04cfb78f7a...34.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_b232b6fd79bf901483714e8b634adb3b7a43857677f696a4499a5c2137868997

  • Size

    9.9MB

  • Sample

    241225-wk9c1s1php

  • MD5

    25121fc74590eeb15174adbede80d7e1

  • SHA1

    7b8ac0440263fd7a14d47e1b635c17c6c43905dc

  • SHA256

    b232b6fd79bf901483714e8b634adb3b7a43857677f696a4499a5c2137868997

  • SHA512

    73272331c8ad65c478507c5450d408ad74d44b3c45af21751f1850eef11928a73e50d40754d768941a60242558e4fe6aad76ac761b9c14c123023ff11f0a07c7

  • SSDEEP

    196608:qCtsWl6uPiR9iAFom4OV3A8/6Lhl9aehDEtnc5UMS5Nbo5kcDilsPZ4LyicDDU2:qCtfRPev4E3A8i12He5sL0iS42

Score
10/10
cryptbotfabookienullmixerprivateloadersocelarsaspackv2discoverydropperevasionexecutionloaderspywarestealerthemidatrojan

Malware Config

Extracted

Family

nullmixer

C2

http://hornygl.xyz/

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Extracted

Family

cryptbot

C2

zyofvl37.top

morynt03.top
Attributes
  • payload_url

    http://yapstn04.top/download.php?file=daladi.exe

Targets

    • Target

      04cfb78f7af98b7b254cad238ff168fa2946d64bb6583c8783eabcd22e0fa934

    • Size

      9.9MB

    • MD5

      fee4349ec343cb15b97cea31b6f3a996

    • SHA1

      6d1478cdad5d5b8f1a10a7f054049eeb3cff7baf

    • SHA256

      04cfb78f7af98b7b254cad238ff168fa2946d64bb6583c8783eabcd22e0fa934

    • SHA512

      bc42b5593279bf8142de33c2ab13a0d88a9aad72fde52d68ca72ad63274c81c01c4d8b44a916458f4baa0f58b644d53beda5c06ab54e9c30da38128145ff395b

    • SSDEEP

      196608:JSZ3cB2fsAFFeIQ/aq0rIRoJEHZqMjQ96UEAjTLlEANuFDr/RCB:J4LfsAWhiZJka9zTLlxCjRY

    Score
    10/10
    cryptbotfabookienullmixerprivateloadersocelarsaspackv2discoverydropperevasionexecutionloaderspywarestealerthemidatrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      9.8MB

    • MD5

      640ef8b7b13326af0747a293aec5f5b3

    • SHA1

      002bcadeae4bf25aeee160e1b84d8fc8c14af10e

    • SHA256

      03666c6f68c8ea9fa08a06424078f57905c81dd32967823c23ffe57b554f0452

    • SHA512

      20a64bd09671336b7af157763785ae61519c418783a9e0393f67dd3adc01bd6ca61e518a207683ed2b979f2deb23b84623a351c99e6aa80e0c2dd1f7a85ef5e2

    • SSDEEP

      196608:xPM5h8YrFMTlRu2pP5+yzDC+Cvu2UhX5uAekUXUfjsC6nrNqtb:xPMz8+F+lI2P51Di+tVeZyIPSb

    Score
    10/10
    cryptbotfabookienullmixerprivateloadersocelarsaspackv2discoverydropperevasionexecutionloaderspywarestealerthemidatrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Remote System Discovery

1
T1018

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks