buer | 4ffe3bdfc6fe67298681315b83cef2513ad95b9b3e3162b9a5e3a27c44f26fe1 | Triage

Submit
Reports

Overview

overview

Static

static

3

a1c86dc81d...18.exe

windows7-x64

a1c86dc81d...18.exe

windows10-2004-x64

Sharing

General

Target

a1c86dc81df8c629410fa9970423016e_JaffaCakes118
Size

2.0MB
Sample

240612-xabjnsvgrd
MD5

a1c86dc81df8c629410fa9970423016e
SHA1

96bd00b2a79f00112e5f911019f140c95db19334
SHA256

4ffe3bdfc6fe67298681315b83cef2513ad95b9b3e3162b9a5e3a27c44f26fe1
SHA512

250b3b28e3e0dd15bdf1bc6443d1a6570d8ff917800b9e4d99b6c0f2d76361a7c4ec0a1b92ba19f9fa0f01399783d587445ae4e95e22c5f1d7aab0413ffabd3f
SSDEEP

24576:f/y+xFOvI0vRcEg3QkQko24/NRwGi6oUrrke2RfhtTb8NO64tVaU/HpKINiC4tEr:C+xKFRM2Juf2OX6OftVaU/JNiNtE

Score

10^/10

buer evasion loader persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a1c86dc81df8c629410fa9970423016e_JaffaCakes118.exe

Resource

win7-20240508-en

buer evasion loader persistence

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

a1c86dc81df8c629410fa9970423016e_JaffaCakes118.exe

Resource

win10v2004-20240508-en

buer evasion loader persistence

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

buer

C2

http://bbload01.top/

http://bbload02.top/

Targets

- Target
  
  a1c86dc81df8c629410fa9970423016e_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  a1c86dc81df8c629410fa9970423016e
- SHA1
  
  96bd00b2a79f00112e5f911019f140c95db19334
- SHA256
  
  4ffe3bdfc6fe67298681315b83cef2513ad95b9b3e3162b9a5e3a27c44f26fe1
- SHA512
  
  250b3b28e3e0dd15bdf1bc6443d1a6570d8ff917800b9e4d99b6c0f2d76361a7c4ec0a1b92ba19f9fa0f01399783d587445ae4e95e22c5f1d7aab0413ffabd3f
- SSDEEP
  
  24576:f/y+xFOvI0vRcEg3QkQko24/NRwGi6oUrrke2RfhtTb8NO64tVaU/HpKINiC4tEr:C+xKFRM2Juf2OX6OftVaU/JNiNtE
Score

10^/10

buer evasion loader persistence
- Buer
  Buer is a new modular loader first seen in August 2019.
  loader buer
- Modifies WinLogon for persistence
  persistence
- Buer Loader
  Detects Buer loader in memory or disk.
  loader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

buerevasionloaderpersistence

behavioral2

buerevasionloaderpersistence

© 2018-2024

Terms | Privacy