General

  • Target

    JaffaCakes118_1c22f5ae7487a55824b42e98b7eb7e6a

  • Size

    6.3MB

  • Sample

    250704-nnfk4s11ft

  • MD5

    1c22f5ae7487a55824b42e98b7eb7e6a

  • SHA1

    aa477c52ba0b8f4ecc1d831ad86aa7b3153bb6ac

  • SHA256

    aebd263f2c619f822024952554aace5a85b2db620e567d5c6065db62683e3c22

  • SHA512

    36e6f9a1d095f90c91ec9576461b29f19f08097ca04fc3ec0a4ba0ec20fc2154d1a51739de12bbb683c75f32f5b5e2326fc4af8cd89a753efc59727d770704b8

  • SSDEEP

    98304:op//ZDTtPb1XhJK30BFsyLZNQuWw3h7ujenOMgdeZAfBbjDmUpEUA/lL/lku21rm:oZZDTtzFKQFW+h7p7GB/JpEF+B1CXO8

Malware Config

Targets

    • Target

      43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f

    • Size

      6.4MB

    • MD5

      f8955d98605d27a397492f0cedbb55f3

    • SHA1

      058c7a9ace05fbd7d8105033c675bdfa90a9c379

    • SHA256

      43069e5aa6eb22a19b4384a4c365f66a795358897b7c6d150cdefb809bb2ba7f

    • SHA512

      5664b483d65aabad7b09547a90ed2de8758038d1e048e729e6025604bf795995e521aca4474a4a18d6d6c5d94a34e46f4f3bfc809c18f1ed747592f86b2149d3

    • SSDEEP

      196608:KU6bOAsZT20DipRVsEd59R05ToiGdF13ms4HXh+73KS1v:/AzRxj0t/GdF13m7HXYVv

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Ffdroider family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks