fabookie

General

Target

JaffaCakes118_ee425dd892ad9a6c7ac05c28c7beedc75415f2f1f52839910615f2993348a549
Size

11.0MB
Sample

241229-ly4pksynfw
MD5

a65ce5c242deb59447163f17fda78a73
SHA1

a5c0961a96692ef115c58902d81440e5d421a1df
SHA256

ee425dd892ad9a6c7ac05c28c7beedc75415f2f1f52839910615f2993348a549
SHA512

03b4d48c993ee3d6d4f2b9217c181928c75a35c43e39902c85c066b9a64c5c0743c9b8d048d2ee2b0b206c895b31c9ddc1047de50d733a41da0628983cb49e8c
SSDEEP

196608:KnmtnhL6ooGvmcM7WvXL4mBit1Yljxck1g4EoJIU8fDfBBSst1PZPuavnMhkuskd:KnMnx6PGvmH7WzCWXDm45JIU2BSstPLu

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://6239caa95598d.com/

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Targets

- Target
  
  20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4
- Size
  
  11.1MB
- MD5
  
  d2eea7e948e24d64a97d94f4391f3993
- SHA1
  
  cd8bf25bf90ffcdc3a4f31e7967555e3be1b6abf
- SHA256
  
  20e1834814a6c07cbc793ea74c90e52c27cfb2769c6279a67f2d35c269ac6df4
- SHA512
  
  21c21eb5641b13339349314dc5648dc3a1eddb93f3d349f47e34210ec4855f90eb56f5df70d5dfc368ad37135473eb274d85647450b62d775a9b0aaf7f3f1cf9
- SSDEEP
  
  196608:xTziUNA8DIkd9lEnp0hofKRLoBF3McEuWMbCO5/jEpaeMQiXQqB4Wf0JNIvNtA0:x3igAgIk40hU24F8mWMbzEpOVXd4WfGQ
Score

10^/10

fabookie gcleaner nullmixer onlylogger raccoon smokeloader socelars pub3 aspackv2 backdoor discovery dropper execution loader spyware stealer trojan vmprotect
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2