fabookie

General

Target

JaffaCakes118_718db5fd7b0ad0b3c34d2502ecd8d1521f67caba93245966ce2a9e58f4a7f254
Size

6.0MB
Sample

241230-21nzxawjcy
MD5

16c78fbe573738c14c8e5396360b217e
SHA1

e96d30b8d1dc3cd2c561e8a35f9fab3d5b635e39
SHA256

718db5fd7b0ad0b3c34d2502ecd8d1521f67caba93245966ce2a9e58f4a7f254
SHA512

2eb61a8b3c070400f9529d02be4afd3776af73e982514f0ab45446a25e89d89210fb5fcb1e47f5b6a6771c2647ff52caaaf04f28d5961439b58b520caf9379a1
SSDEEP

98304:JjX+kjb1BjmnOsSIgaa4dDdChUkS39t5lJxHialxRHKAHiunMH3O2T:Jj9jjmOsSIdQqkkaaTHKACDXfT

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://raitanori.xyz/

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Targets

- Target
  
  JaffaCakes118_718db5fd7b0ad0b3c34d2502ecd8d1521f67caba93245966ce2a9e58f4a7f254
- Size
  
  6.0MB
- MD5
  
  16c78fbe573738c14c8e5396360b217e
- SHA1
  
  e96d30b8d1dc3cd2c561e8a35f9fab3d5b635e39
- SHA256
  
  718db5fd7b0ad0b3c34d2502ecd8d1521f67caba93245966ce2a9e58f4a7f254
- SHA512
  
  2eb61a8b3c070400f9529d02be4afd3776af73e982514f0ab45446a25e89d89210fb5fcb1e47f5b6a6771c2647ff52caaaf04f28d5961439b58b520caf9379a1
- SSDEEP
  
  98304:JjX+kjb1BjmnOsSIgaa4dDdChUkS39t5lJxHialxRHKAHiunMH3O2T:Jj9jjmOsSIdQqkkaaTHKACDXfT
Score

10^/10

fabookie nullmixer privateloader socelars aspackv2 discovery dropper execution loader spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  5.9MB
- MD5
  
  d97eef05369e22d7157b4b4a58900d4e
- SHA1
  
  08bd87e386b37e827352188a9f72388091206c31
- SHA256
  
  d1686e5a76f86a9af4469cb42f3e43e82c8ca9f3c7a2a8fc5cbcbbf0eaba4719
- SHA512
  
  de803915f9069312dd4c03a2f3f51aaf519fcf4fb047adebf983fb1562cdbd10a02aafa73543ebc9098bcd37d11020e15ac7f62152591a68f2f69cdce63d0604
- SSDEEP
  
  98304:xc1KmeMslsGOjbtSicV9KQUi/ps0F/rYPNSVDO1hdbFepIISBjLXNaJC7JzhBkxg:xc1SMslq/wkQUiV/rYPNSgPdbFsTS5L/
Score

10^/10

fabookie nullmixer privateloader socelars aspackv2 discovery dropper execution loader spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral3 behavioral4