General
-
Target
JaffaCakes118_0e1d23369c842fb368468c4d32df33f7
-
Size
4.1MB
-
Sample
250106-ex8htaykbk
-
MD5
0e1d23369c842fb368468c4d32df33f7
-
SHA1
21e0e7dd47de784af456c48cc934ede79d1bd413
-
SHA256
270d677899297650ac952ba106005945be06f92732812aff6cb8804916fa72c8
-
SHA512
af1c1eb035877f375576b64c2ae82c0cafeef84601271feba0d626d361a5601fdf5ed85f669ef463f8b0730775a8369b3e05f49f491c724c0b6bf249db24ffd6
-
SSDEEP
98304:JpE3u0sGUUMUrKXgO37yMbY2xbHTLzx7EwiD3eYNiGW1KzNjLs5VHmkqwzP:JS3u3Ue37yMVbzLzZ5iDKl1KzNzkPzP
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0e1d23369c842fb368468c4d32df33f7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0e1d23369c842fb368468c4d32df33f7.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nullmixer
http://wensela.xyz/
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
redline
sehrish
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
redline
Chris
194.104.136.5:46013
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Extracted
redline
media21
91.121.67.60:2151
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
gcleaner
gcl-gb.biz
45.9.20.13
Targets
-
-
Target
JaffaCakes118_0e1d23369c842fb368468c4d32df33f7
-
Size
4.1MB
-
MD5
0e1d23369c842fb368468c4d32df33f7
-
SHA1
21e0e7dd47de784af456c48cc934ede79d1bd413
-
SHA256
270d677899297650ac952ba106005945be06f92732812aff6cb8804916fa72c8
-
SHA512
af1c1eb035877f375576b64c2ae82c0cafeef84601271feba0d626d361a5601fdf5ed85f669ef463f8b0730775a8369b3e05f49f491c724c0b6bf249db24ffd6
-
SSDEEP
98304:JpE3u0sGUUMUrKXgO37yMbY2xbHTLzx7EwiD3eYNiGW1KzNjLs5VHmkqwzP:JS3u3Ue37yMVbzLzZ5iDKl1KzNzkPzP
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Socelars family
-
Socelars payload
-
OnlyLogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
4.1MB
-
MD5
b0fd10ea697a84d539bea9739ac866f0
-
SHA1
01f6a31a417a6dcaf34546549b44a6ad49995560
-
SHA256
e6b84ffaaeb4807ccac7c778f87d0b3545841e076063c8f594141430f791f0bc
-
SHA512
1daa7425391447b11eec5522ff7321f10b7afb6d19bc09825b91f4d5ce940df295a5d70a635a0d29936eaedf1639fb91ae31fdcc9ea65fa517db4096101f3e20
-
SSDEEP
98304:xyCvLUBsgdBBgeyJp5NGsI13mGcvKcj7nDiSz6J5BegQ3U2ij:xDLUCgdBiey1wsINCvKcjaSmJrp2+
-
Detect Fabookie payload
-
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
Onlylogger family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
SectopRAT payload
-
Sectoprat family
-
Socelars family
-
Socelars payload
-
OnlyLogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1