Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16-04-2024 15:31
General
-
Target
f3c868afe1a58261340bf251d20211d8_JaffaCakes118.exe
-
Size
55KB
-
MD5
f3c868afe1a58261340bf251d20211d8
-
SHA1
a8e1be0cb00b8e825d0232e3e7c2cbda8e0484f9
-
SHA256
9869ded93a52372e8e5ad3e9378ee6248dd57d9cbd5ec38ac709b5e38b9f7d16
-
SHA512
a06669e4da2870c341e8701d790e80be177b2fc4062a9d2a81863dae3135e73e550a83acc00d1ae889f5795b146d5a4223181e756d9e560f72ee0ec9c19534dc
-
SSDEEP
768:5B3CApzob/YTwTjYFdGf0WBREhdz0PzzAX:fLNa/Y8TUUnEUPzE
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/875430018560442368/MavU76NAbE8srbsu3sdD1pvTY4Bu5Owj9FB7cxvFbCZpaeNLeoQyo_OCWVfgBexfZb8W
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3c868afe1a58261340bf251d20211d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3c868afe1a58261340bf251d20211d8_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB