Overview

overview

10

Static

static

3

630ab459be...18.exe

windows7-x64

10

630ab459be...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    630ab459be2675ab53b9a3e4eeba9110

  • SHA1

    77f8b36c24cd0de2dcfe86b96e403bfad9d91112

  • SHA256

    a5a60f5bef193b80117238e77eb20fccf1c72809dbf5af44bc588ab591b41c61

  • SHA512

    33dce0472a05889df913693b80d4002a7dfab036f0201fa38d011cb7d9406146d6f34525023ed24131efa2ad754fad8715eec6359fe47350d1ffb45ca03525ff

  • SSDEEP

    24576:DMy8p4zRy+JVnFog4DMut/u5V43Z1RcMzBPjcqIN/XlMMl/2hsXEjCuokNUxj+w:DMy8WlyoflsMsmjQZ1RcMzBLcqIBu+G2

Score
10/10
buerevasionloaderpersistence

Malware Config

Extracted

Family

buer

C2

http://loaadik01.pro/

http://loaadik02.pro/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 19 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe
      C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\630ab459be2675ab53b9a3e4eeba9110_JaffaCakes118.exe" ensgJJ
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Deletes itself
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\secinit.exe
        C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 136
          4⤵
          • Program crash
          PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe
    Filesize

    1.5MB

    MD5

    630ab459be2675ab53b9a3e4eeba9110

    SHA1

    77f8b36c24cd0de2dcfe86b96e403bfad9d91112

    SHA256

    a5a60f5bef193b80117238e77eb20fccf1c72809dbf5af44bc588ab591b41c61

    SHA512

    33dce0472a05889df913693b80d4002a7dfab036f0201fa38d011cb7d9406146d6f34525023ed24131efa2ad754fad8715eec6359fe47350d1ffb45ca03525ff

    Download Submit

  • memory/1652-28-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-29-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-30-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-31-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-32-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-33-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-34-0x00000000001A0000-0x0000000000581000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1652-35-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1652-37-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1652-41-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1716-24-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-42-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-46-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-22-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-23-0x000000003F071000-0x000000003F075000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1716-45-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-25-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-26-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-44-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-40-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1716-43-0x000000003F070000-0x000000003F451000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-8-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-7-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-5-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-6-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-4-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-3-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-2-0x000000003FC21000-0x000000003FC25000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2088-1-0x00000000779C0000-0x00000000779C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2088-12-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-10-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-11-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-0-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2088-20-0x000000003FC20000-0x0000000040001000-memory.dmp

    Filesize

    3.9MB

    Download