Overview

overview

10

Static

static

3

2625712503...46.exe

windows7-x64

10

2625712503...46.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_8177b9b15bb7afcdf9af56d0ccce7c6cbe1452a535e6c29e89b7b25fe810e0ce

  • Size

    8.7MB

  • Sample

    241229-2v7vtszjfv

  • MD5

    8db8522ac3e2a8357b71f759b4a0aa71

  • SHA1

    479cd706567e10d4f0e7ab82e8b3e4b2ac46be93

  • SHA256

    8177b9b15bb7afcdf9af56d0ccce7c6cbe1452a535e6c29e89b7b25fe810e0ce

  • SHA512

    c4495964b25f5d4c06ed3b14bd3ae3d35b85b6e73d81cab1c3652c8f46f983913e90d6e3da4eda0381912153d5b222c9aa3425ba40029888d0660f2c336b225d

  • SSDEEP

    196608:Zt+Jkrum3rX8SIfwgWvN+/3QkKCBRLru3I45etEzGDvWFm:H+JkrHM37WvNUJLCFetgGak

Score
10/10
cryptbotfabookienullmixerprivateloadersocelarsaspackv2discoverydropperevasionexecutionloaderspywarestealerthemidatrojan

Malware Config

Extracted

Family

nullmixer

C2

http://raitanori.xyz/

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Extracted

Family

cryptbot

C2

zyoidm17.top

morlea01.top
Attributes
  • payload_url

    http://yapivt01.top/download.php?file=ainger.exe

Targets

    • Target

      26257125032db56e7267c3084ab9cde9bd676304fe58117bcf101b72f952f646

    • Size

      8.7MB

    • MD5

      280579c01f3539c998fa15c4e209f1ff

    • SHA1

      a04a7dd42f3ada35e3422bcd9771241a744be48b

    • SHA256

      26257125032db56e7267c3084ab9cde9bd676304fe58117bcf101b72f952f646

    • SHA512

      4ee267a982009440f1e117f86c43715d690c0a8893e0310dc20e672a46cd3ae1bf6423e7e498e548dfb2b6d562585c6389fe74c9b8fc2c11bb749c6ba331d1bb

    • SSDEEP

      196608:J2Y2AZQkcQPL1L1AHc1CsXRA7frlV2Vy16+5EIlD/2lc:JdPZncQZ5A8LWraU6UlqS

    Score
    10/10
    cryptbotfabookienullmixerprivateloadersocelarsaspackv2discoverydropperevasionexecutionloaderspywarestealerthemidatrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      8.7MB

    • MD5

      599fb15b133d3ae43e81776d1c3b7ce4

    • SHA1

      7bb32c3c72a7b2671bf15081ae86c33def78a56f

    • SHA256

      dd0b24cd94aada4281beeee104a7b2cf2f971934d3761ab65b23dc8c2d815e79

    • SHA512

      94258a168ec7c64098ad2f3d50ce3d441d65a15dfcbdde31d4c5231e3c78408787e06566913f89e76630a448e0d74424215e26aea8c42a48eae8b86ace6dfc31

    • SSDEEP

      196608:xIkDzAX3QJdJ8mRRZbSIm93nWVbzaPjAWFMH8Qj0IcaZ4kXkyNyczlKofvOQ:x3DzgQJdJ8ubRO3nWxudFs8M7VXXIcxb

    Score
    10/10
    cryptbotfabookienullmixerprivateloadersocelarsaspackv2discoverydropperevasionexecutionloaderspywarestealerthemidatrojan

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars family

      socelars

    • Socelars payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks