General

  • Target

    JaffaCakes118_7a65ea84978d653141d5fe65a05f59831cd7be417ae8c630a4e584647e92b35c

  • Size

    827.4MB

  • Sample

    241229-mt58aazkh1

  • MD5

    2a8f42edc472950c862a87afa8bc7ea6

  • SHA1

    d6dd452daaf2315066b301e7d97b8d30028bd334

  • SHA256

    7a65ea84978d653141d5fe65a05f59831cd7be417ae8c630a4e584647e92b35c

  • SHA512

    e11a975c43f531fce524f91a4ecd0d659032799bd75951883efb1c2161fa0cd5e8f14e0f7bfbd914ca58a10aac4c926e29da618f72cb4f997df16ed4aa3fbaa2

  • SSDEEP

    12582912:RMY0yDKupYAcNSic1uZj0pukUisqfkj3vYyBJU77f/xxF86+lyGwlFu6CsZMth05:eeTzoSapDTZBCvnG6Z9lFXVut6OS+oPX

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Extracted

Family

agenttesla

Credentials

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

C2

104.245.126.72:55638

:55638

Attributes
  • Install_directory

    %AppData%

  • install_file

    Defender.exe

  • telegram

    https://api.telegram.org/bot6598373047:AAHwDmN1CXWUConr5AXtZNcmeqoatl5MIm0/sendMessage?chat_id=2001505415

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.103:4782

Mutex

4af63002-10c8-4aa5-8c63-b93df49aa916

Attributes
  • encryption_key

    27CFF25A872374DDAAA32E502C2DC500EFFE191D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      virussign.com_001d76c0f2266cf5275017fe1f500bf0.vir

    • Size

      226KB

    • MD5

      001d76c0f2266cf5275017fe1f500bf0

    • SHA1

      e92e2de0431ab6f001890544214925535dd79e4e

    • SHA256

      c3dc11574446e9f6f6a68bc92e709b5377c712401907e149c0507192db955be5

    • SHA512

      72831e33a2896262b59e4c515183d60fca6a3be99e0e55a21904021e304b9563830ac04d3cc167d8b54dfc894e869a24bebe20470ad90b2eea18acdb614ff240

    • SSDEEP

      6144:R4lwZ40243s0gJvyTZaPYZeHF/tIzi+Tk98i9goc8VRtiZYj:qn0d8PJvyQYZelVIziveo/Rtii

    Score
    7/10
    • Loads dropped DLL

    • Target

      virussign.com_0050131715d61e9d072a3beed31a410c.vir

    • Size

      1.4MB

    • MD5

      0050131715d61e9d072a3beed31a410c

    • SHA1

      8e901e106b282ae12df7593112e37801b2ffe903

    • SHA256

      b48eccb23d6c3697a8930d16fb5a41773b8f596d77be3eed282ce77854899456

    • SHA512

      a416b19e9c088aa3771ebe7cba2f91d7ca64d2cb553ad290cb1ae8b70d95f65d1eca1a82fe597184062f2480b65833c099a3439cb3ed7d03ff24bb0e239e8178

    • SSDEEP

      24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKenKB/ksiZdMzPxFh1GuzSYj:GezaTF8FcNkNdfE0pZ9oztFwI7ei11Z

    Score
    10/10
    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      virussign.com_00565e577708a8439c9d885e085c3901.vir

    • Size

      712KB

    • MD5

      00565e577708a8439c9d885e085c3901

    • SHA1

      4493fff8b6656d235cbfa9469e81857fc365f928

    • SHA256

      257f64f00d9ae803841bd4621b265bdfcf08e046384911400fe2578c3c9b9059

    • SHA512

      c6299a89e73e964d5dd6296a4420520c4da0e36057d8145f423b269c28dc6db6bba8c4b17cda60f3c045fec8bc1ebd5cbf79c0e69b93bacee78ee565d44edfdc

    • SSDEEP

      12288:wqBF6oVTk26GXLNaGUnFsnvvSpjsvPmJLZwyTJ2GbNjOjN:vBF6727XL1+KvSjsvCDrAN

    Score
    1/10
    • Target

      virussign.com_00689e80f9aaad22a716422b814f233f.vir

    • Size

      110KB

    • MD5

      00689e80f9aaad22a716422b814f233f

    • SHA1

      566ffb28a550d534790b39908079afeef53dbf4e

    • SHA256

      af53073a2e8822a85be4057d6b1862771c0274d7ec5a0b31271cb9e95ec563ef

    • SHA512

      dc4947da94bb829874995908ec5f63e40dda61f013c1d3b65d287ca62008768929a418700b2f66a25af131c8aa77a7d1e0d0e0e99901b29a1b953d60a3cd5290

    • SSDEEP

      3072:tbCETB4dDyUuFbwmfFBouhvGK02VhqUIEH:hCVDyUuFbwmfFBouhvGK02VhqUn

    Score
    1/10
    • Target

      virussign.com_0073654a4de7a00dfb7a4df7f9e4851a.vir

    • Size

      775KB

    • MD5

      0073654a4de7a00dfb7a4df7f9e4851a

    • SHA1

      2235dd2c7f1f504ee317d2253ab881086f882510

    • SHA256

      1a4412182c5b7beb07783cf2b067581c2efe87cb2a58d13284b43e169ed10aa2

    • SHA512

      ba34e9fe635a3402941a956bba2f5d34cb584464e8eb00c34b4f74fb9e0b9fc6ef18e980a82be63520990ee19b2f30a3f7c088d7904bf11b5b803f150840a751

    • SSDEEP

      12288:wqBF6oVTk26GXLNaGUnFsnEV+43Ykj7MwunhhAan8wfrC4ne5ovdDjN1:vBF6727XL1+Ki+4in3Tnzfrte50N1

    Score
    1/10
    • Target

      virussign.com_007bfeb463de9ebee397b8e85562845b.vir

    • Size

      434KB

    • MD5

      007bfeb463de9ebee397b8e85562845b

    • SHA1

      f55bb54a6341511aff404ffa98efc0bc1681c9f6

    • SHA256

      940b24e2c55de6aa6ce0b5ba3e5e9b2994062f6003f01314b97cabc9d7151d0d

    • SHA512

      215ba1e5134da92b94f255c2e16567ba6b099efdc4cc1b0ae2c3836b6b2fde28522cc3bd61b21371ed8b7e750c8125c61eeaffd9ea6b64cd20d66423eacc4bc4

    • SSDEEP

      12288:HZxDmOQjkMmVY2gsvmQjBImVYymVY2gsv:L9Y2gsHYNY2gs

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_00a519bb1b7284727a665faeb741c5e3.vir

    • Size

      101KB

    • MD5

      00a519bb1b7284727a665faeb741c5e3

    • SHA1

      4ae2011819af55c9f94a4ffb042ce5d052930f6a

    • SHA256

      9f8837466bc78d70a12537e035547b584efce0075db99ed37b6b213ef4a4b8c1

    • SHA512

      c7feede61cd71af5d8646e9e0c950a48b60895f4aa3befb5b874b8db469e6b018de4826c4fdd1f294d350bba0c05ae82da772e09696a7dd334f8c26c53d70009

    • SSDEEP

      1536:0GYU/W2FHG6jMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7j:0fU/Wr6jMauSuiWNi9CO+WARJrWNZ1

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Target

      virussign.com_00a6f71a9d6feb05e9e6d489bb90dc7e.vir

    • Size

      1.2MB

    • MD5

      00a6f71a9d6feb05e9e6d489bb90dc7e

    • SHA1

      5acccf16c169efa645ca9a75a8b611072ab94ecb

    • SHA256

      e77100fd7247439b64dc73d87e57634e67cf14e58ab08db2f7fbdcc4fdf3a034

    • SHA512

      c250d7758990dc4de400694624a18504724d5519fe67eee8c114b59bcf35b42b97ae04b376a2c290b724bf4bc6fd8cf7cbd154579d58ba53c8462b7241a34807

    • SSDEEP

      24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjhMgQhCwbvjOuhiS+:Lz071uv4BPMkHC0INFWOuhp+

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

    • KPOT Core Executable

    • Kpot family

    • Urelas

      Urelas is a trojan targeting card games.

    • Urelas family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      virussign.com_00bf354c8d7adcda624dfbb6a3fe6807.vir

    • Size

      1004KB

    • MD5

      00bf354c8d7adcda624dfbb6a3fe6807

    • SHA1

      30d5f3256baa66aa277f5d5e0e0bab86e8a288c0

    • SHA256

      8f2d40aa8793bb1f289e2840b059b7ce9d1487c160d8f0e9e4e5053b6105d633

    • SHA512

      1255c9097a0dcda17e455134293744fbdc37ad02fb8a44df225c5f6c035d4afd1372f6e8523018fe3d57528b3cd678ed1c14815004211b577ab355ca6d941bda

    • SSDEEP

      24576:RVIl/WDGCi7/qkatXBF6727HeoPO+XC7A9GaFs1XllvxWUAI:ROdWCCi7/rahOYill

    Score
    10/10
    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      virussign.com_00e0a4e37515a8bf12e0f4d362720a34.vir

    • Size

      606KB

    • MD5

      00e0a4e37515a8bf12e0f4d362720a34

    • SHA1

      d8a4bb480d1c0995cc63d73b00fcbf7ae36b8f5e

    • SHA256

      99865dc550f094797f92e7b7c1c7d61f647f01b7f3644539153c8c1bd17deb9f

    • SHA512

      38ec195e08220727d61e8c1ce0ded9df250bfaeebb797a65e5e669cc3863e0f996b4e35661915695b69bed8cc0ce07f85705dc810c2f8b39520709bc1428e792

    • SSDEEP

      6144:RqlIyFESWu0SWuGSL2seZ5tDlYFGJx/Gw7vl:ty4seZaGXGwDl

    Score
    3/10
    • Target

      virussign.com_00e0f05fd0ab94ce7601fb13225e259e.vir

    • Size

      748KB

    • MD5

      00e0f05fd0ab94ce7601fb13225e259e

    • SHA1

      5ff89ebc5bd387c29d134f035e7ba6848f874750

    • SHA256

      16a81c9b421f34da2235ec48130e70185d8e925dc3f8f3a3891421ed5f0765e1

    • SHA512

      404757c195eeb6e2956727575918adb4be313e60262415345ae96dc4b7448aa993c015c0055831a20b611beb638bb31d633d3e0820ed0a5c71c61365e89da2b5

    • SSDEEP

      12288:wqBF6oVTk26GXLNaGUnFsnEV+43Ykj7MwunhhAan8wfrC4ne5kNjl:vBF6727XL1+Ki+4in3Tnzfrte5kz

    Score
    1/10
    • Target

      virussign.com_00e8c6172aae832496ff5066c8282abf.vir

    • Size

      128KB

    • MD5

      00e8c6172aae832496ff5066c8282abf

    • SHA1

      ecbc64509f0f604d7877066e53e0116e122899a2

    • SHA256

      7a5ca7cdd82bb3d066397bb48c95a9d40d59c1b1725f7566048f5142c99f085d

    • SHA512

      9cf9704ce2d0907043bad5a84df7cf9cf8348b2da23975ab73a36bc9778d7bc568298f828b92a22d94e2d0f003d5ea39374226302e54c199c81551c1bf04a5fe

    • SSDEEP

      1536:zMtcFRfsQw267SdDke1Hoy+GsHQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xu:zXU/21IsHKG7UDd0pCrQIFdFtLQ

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_00fa4d04b04bf7c7e9ffb1714bb74688.vir

    • Size

      508KB

    • MD5

      00fa4d04b04bf7c7e9ffb1714bb74688

    • SHA1

      ec7c25e560fbfda8f3ae83bd67824c505fe71ae4

    • SHA256

      2c610fe3c5e17ca7280991967a80f2bb0a6008cea326439bc8320196dd07848a

    • SHA512

      06823d209875a6ba7eedf66b09f7de5a0135f843ef0ed0fd353bfc7069a850f47883a130ec7547170eacd4a1a2701e7828476c8957bff487530363ac4b056bb4

    • SSDEEP

      12288:lXa8s0fUDw52+TuIr+grnSQvtSKDd9qcsX3n0A8:lq8nfUGuIr+eSoR9qPnM

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Target

      virussign.com_011a0ee08993b0bcb944efb9e222d8db.vir

    • Size

      624KB

    • MD5

      011a0ee08993b0bcb944efb9e222d8db

    • SHA1

      a77a497a6bcbc3985fef9d412e850ab47b51a5f7

    • SHA256

      e53bfce71f72f97a918b370c3c6befbfd423a693c464f6c68cfa866f387ba2ed

    • SHA512

      14cd2c8556cc6bc54810bded27fcaa5a7ee6963de82c46a6a12750ecf5afbc422257d35eca11cf0aa72a62b0b7e4d27ed53516fe56ed8b1ca54a58f61ce3e4dd

    • SSDEEP

      12288:7QhAHV4KWkcsZQX9aLisvNeOVQ5zCD4TyWN9VysX7rdGrr5Mv:7+X9aLisvNeOVQ5zY4xN9VyU7

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      virussign.com_012157de815c5e4bf4535ea332b47cf7.vir

    • Size

      117KB

    • MD5

      012157de815c5e4bf4535ea332b47cf7

    • SHA1

      8cbe1465ce8b2bd65f40b0d0a6be97746ace877c

    • SHA256

      44989161b9103a1dc8df8428b3881efa50b734f148cfdf6fd27d86a7c21b0f99

    • SHA512

      64c30c1d92ba07b13d9ce9b7680dfce12181c590e003766952365ed459938282abd243c3af07bdef3c75598ac6409bfc49aca915f5b8f0e683ac9eb43a82b0d7

    • SSDEEP

      1536:p40LmYP3qgfcLPG9LEe/QuruSs1KAhaFFfUN1Avhw6JCM:ZLmk3qZuPzqhaFFfUrQlM

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Berbew

      Berbew is a backdoor written in C++.

    • Berbew family

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      virussign.com_0127bf5b597c936eb89344b860fa6dc2.vir

    • Size

      966KB

    • MD5

      0127bf5b597c936eb89344b860fa6dc2

    • SHA1

      6ca075593669a32a3f0a500c0c005eda0eacd739

    • SHA256

      6bef917725df34c7b8e76b609e95c9b672938f72c1cf9c6b570f50c9d20b5576

    • SHA512

      c577622c0c78cdf2d9ae66dd3054e41ea63ead75fe211bd2133275f3610d44ae320a440f3cae6755580be27e9fed566e1bcaec17fd2b7f4046875e488eb3ce9d

    • SSDEEP

      12288:wqBF6oVTk26GF15CUqbGuC4DCjBSwVd+1bBTDQlfIkjY4C0ivWBD4Cg3CH:vBF6727F15qbrund+fT+gsYb0i+6vM

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

minerupxpyinstallerbackdoorthemidaoffice04aspackv2xmrigberbewkpoturelasfloxifmodiloadergandcrabneconydagentteslaxredgh0stratxwormquasar
Score
10/10

behavioral1

discovery
Score
7/10

behavioral2

discovery
Score
7/10

behavioral3

xmrigminer
Score
10/10

behavioral4

xmrigminer
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

berbewxmrigbackdoordiscoveryminerpersistence
Score
10/10

behavioral12

berbewbackdoordiscoverypersistence
Score
10/10

behavioral13

defense_evasiondiscoverypersistence
Score
7/10

behavioral14

defense_evasiondiscoverypersistence
Score
7/10

behavioral15

kpoturelasxmrigexecutionminerstealertrojanupx
Score
10/10

behavioral16

xmrigexecutionminerupx
Score
10/10

behavioral17

xmrigminerupx
Score
10/10

behavioral18

xmrigminerupx
Score
10/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

berbewbackdoordiscoverypersistence
Score
10/10

behavioral24

berbewbackdoordiscoverypersistence
Score
10/10

behavioral25

discoverypersistencespywarestealer
Score
7/10

behavioral26

discoverypersistencespywarestealer
Score
7/10

behavioral27

discovery
Score
7/10

behavioral28

discovery
Score
7/10

behavioral29

berbewbackdoordiscoverypersistence
Score
10/10

behavioral30

berbewbackdoordiscoverypersistence
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
1/10