nullmixer | 39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7 | Triage

Submit
Reports

Overview

overview

Static

static

3

fff7c1f775...18.exe

windows7-x64

fff7c1f775...18.exe

windows10-2004-x64

Sharing

General

Target

fff7c1f77588105fc5a76b841983253f_JaffaCakes118
Size

1.9MB
Sample

240421-xtqspshf98
MD5

fff7c1f77588105fc5a76b841983253f
SHA1

c87d3d2cf8d649d9e0cd045f28d6972fc1ab9edb
SHA256

39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7
SHA512

a23e67eb352dc383e56ad422708ea74165d294925d57b08d24d937d7bf90f6e49d5768d18f3de2cf479b57c6bd710c786e3ea4f6dc0b77851d73aab021dce6c7
SSDEEP

49152:xcBGvy10E+QMWcLctpCOOeWAbaW44EwJ84vLRaBtIl9mTRP+m+OJz:xb4MWcApaeW9FvCvLUBsKRPUkz

Score

10^/10

nullmixer aspackv2 dropper evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fff7c1f77588105fc5a76b841983253f_JaffaCakes118.exe

Resource

win7-20240221-en

nullmixer aspackv2 dropper evasion trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

fff7c1f77588105fc5a76b841983253f_JaffaCakes118.exe

Resource

win10v2004-20240412-en

nullmixer aspackv2 dropper evasion trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Targets

- Target
  
  fff7c1f77588105fc5a76b841983253f_JaffaCakes118
- Size
  
  1.9MB
- MD5
  
  fff7c1f77588105fc5a76b841983253f
- SHA1
  
  c87d3d2cf8d649d9e0cd045f28d6972fc1ab9edb
- SHA256
  
  39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7
- SHA512
  
  a23e67eb352dc383e56ad422708ea74165d294925d57b08d24d937d7bf90f6e49d5768d18f3de2cf479b57c6bd710c786e3ea4f6dc0b77851d73aab021dce6c7
- SSDEEP
  
  49152:xcBGvy10E+QMWcLctpCOOeWAbaW44EwJ84vLRaBtIl9mTRP+m+OJz:xb4MWcApaeW9FvCvLUBsKRPUkz
Score

10^/10

nullmixer aspackv2 dropper evasion trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nullmixeraspackv2dropperevasiontrojan

behavioral2

nullmixeraspackv2dropperevasiontrojan

© 2018-2024

Terms | Privacy