Overview

overview

10

Static

static

3

JaffaCakes...87.exe

windows7-x64

10

JaffaCakes...87.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_04c54208f1b25e8acfdaa7254de39187

  • Size

    3.2MB

  • Sample

    250106-a6y9aasram

  • MD5

    04c54208f1b25e8acfdaa7254de39187

  • SHA1

    76c80e3222e5f5850d376f165a93dc245ca239a4

  • SHA256

    c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b

  • SHA512

    fc6a8bca12c70bffe20502c5ba94fa668c30e77cbb618cadc59028cf0799b4eb3a64eb83a1da6e20bf824d0208ddad1b8d709f526cba2bf2cd8887ea1e159f95

  • SSDEEP

    98304:JMzyukhOLpEScAlkOJvgjVxpb5O4tos84jv:JMNkhK4E5JuZtoWb

Score
10/10
fabookienullmixerprivateloaderredlinesectopratvidar706canaservaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    706

Targets

    • Target

      JaffaCakes118_04c54208f1b25e8acfdaa7254de39187

    • Size

      3.2MB

    • MD5

      04c54208f1b25e8acfdaa7254de39187

    • SHA1

      76c80e3222e5f5850d376f165a93dc245ca239a4

    • SHA256

      c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b

    • SHA512

      fc6a8bca12c70bffe20502c5ba94fa668c30e77cbb618cadc59028cf0799b4eb3a64eb83a1da6e20bf824d0208ddad1b8d709f526cba2bf2cd8887ea1e159f95

    • SSDEEP

      98304:JMzyukhOLpEScAlkOJvgjVxpb5O4tos84jv:JMNkhK4E5JuZtoWb

    Score
    10/10
    fabookienullmixerprivateloaderredlinesectopratvidar706canaservaniaspackv2discoverydropperevasioninfostealerloaderratspywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.2MB

    • MD5

      5aee7b8a81c1ea74848afdbe1d7837f4

    • SHA1

      10e65e26517b1e5d904c56068a83e31467a3c775

    • SHA256

      788d15ae0432e91a5c45c1b6972c3ae53963cc892e1805f801fe76bee1d5af48

    • SHA512

      bcc8482d58bef8b4c210728efd01280a0d0fd7b49a6d170dbafdbecbb44791349f3aa06edd510c8a1394ac1acfd7f9de163a06fef228daa98d2dab19e3e967bb

    • SSDEEP

      98304:xX18QO+SegIIwlKSZ9umNyoCvLUBsKf27a:xl8QONHIR5Z9ry1LUCKfb

    Score
    10/10
    fabookienullmixerredlinesectopratvidar706canaservaniaspackv2discoverydropperevasioninfostealerratspywarestealertrojanupx

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • Nullmixer family

      nullmixer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.