Extracted

• • Target

    f5a8b8cfa0fdf5222c2d163c9b98e366_JaffaCakes118

  • Size

    3.0MB

  • MD5

    f5a8b8cfa0fdf5222c2d163c9b98e366

  • SHA1

    292625e126bc1a74819220b803b48e3a08b7855b

  • SHA256

    9be991e72ded580a61a4e57c32ddf7fa62959878414078edda71c1f2178672bf

  • SHA512

    5e3ac3bed022c9d9d648713aa3732796b36b2e5b2e089857132bff20531a239495b6f8bd9162231fcb912ac1e2dd02e3abb7ecd4b613057cd184d3aa12a6099f

  • SSDEEP

    49152:KesB9kvW2qx3FuhzaSCjPQov8OnqIt7jVRgUezC0lXWm5ZKZDfDAu:j/v45bj117RKU25Wm5M

  Score

  10^/10

  mercurialgrabberevasionspywarestealerthemidatrojan

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2