General

  • Target

    jet.zip

  • Size

    112.6MB

  • Sample

    240715-pfj41asdpd

  • MD5

    de779c3b4e36d82762dfc61ce9c9bbf2

  • SHA1

    6fbd58a60b3095ac4be7700006237ca9a3f5772e

  • SHA256

    5188c69bd772ebe6ca8b34e8c08eec90f63ffcf1d6ab20287e074732da21076a

  • SHA512

    71f857ae4bd5565654c1b4bb049e082d0f4a7d0fa8cb2d789581a35b9cc956f6855f295fb65156721e95c20af6291e2a735067647ed46d46e7f9def021546948

  • SSDEEP

    3145728:HtfPhRs9D5Zi+mHm47bSZvkG5MQbZ+mSUvh044h:HtfPnsLZi+mHm4XSZ35MAB044

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      jet/crack.dll

    • Size

      2.3MB

    • MD5

      10f5e8139433eb7087c7946c0659cdf2

    • SHA1

      a5ed6ad5115e3d1a9b274d5132ee51d94ccdf568

    • SHA256

      031ba5a69b202f5d7a5dccb8fe7795aa711acdcf9d122e776f08badfd24a510e

    • SHA512

      413638b28320378930c33726246eae113925e7034d05503d4e0277402c600f850f8d96d0c259925d7dcac1abb12353c0935dec7f466013d523bd4075be621d48

    • SSDEEP

      49152:XwFdjXhom+KbllCmGFZYCY+DWefdmjLdGGf:4om+KboYCY+TfdmjLdGGf

    Score
    1/10
    • Target

      jet/jet.exe

    • Size

      34.2MB

    • MD5

      5e06053d551d8d4030796d1f962aba92

    • SHA1

      6cf2351a65be0515dc1392b59902774f476c36e8

    • SHA256

      1ed92d4e3caae52e8b39dbe22d031c4a057355befa038045ebc7383e1da1f9b9

    • SHA512

      9ecc16aa0c0e8ed6d817b701e86a6db320c7167d399349bd97f109dfade95d6ee3f786dd4b2004e0e396a090fb509633aea6bbe46065853a3abf42f3c2782bee

    • SSDEEP

      786432:VuXHiRyc0PacOHzeMKVxzx5cfOHzeMKVxzx5cU5FRA3L:VuXHLc0PacOHzDCd5cfOHzDCd5cUzRO

    Score
    7/10
    • Loads dropped DLL

    • Target

      jet/loader.exe

    • Size

      39.3MB

    • MD5

      cb5900d8c99b9b2b8391c5e07de93048

    • SHA1

      21434e75d38c698a924a28a39498f230ba1e23f2

    • SHA256

      53d60f5a2e65c6aae90eb6e9f872cd381fc152f33e8227bef5fe27d61e09ceb3

    • SHA512

      148be276c6a8b98971c975c27a7b4d27146667b80447198d09777131b2dd5511de51db3ded5b3d04b72a85f12f772792e0590427c3cbceb2b1d9b5420d9d205d

    • SSDEEP

      786432:vp039FS+ab44n6ASQSc6k00CZcKoTMS4n4BgmpHvT6CKrftQKN:vps9Fnab4+6DQSc6JUCSC4hH2CKLtQK

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Contacts a large (1160) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks