Extracted

• • Target

    e91cc94bcf70a4cd3a8f8c7df1bf88fa_JaffaCakes118

  • Size

    1.8MB

  • MD5

    e91cc94bcf70a4cd3a8f8c7df1bf88fa

  • SHA1

    2ac449ecfca9d525b8b65da6c47a5525c0fe48b9

  • SHA256

    014a00ff4eb8eabdd9a7e2e0a0d322cfab2cd2a0f65855e98eef290b217d7c8f

  • SHA512

    964dc41bbd55e571562f2c2d7f8c738efb1b31a9ff69d153d8e1af6c435080da65712641bbe7a69d5effff1a0defa20ebdf81670c7260ce3c5b590c09a4cb0c1

  • SSDEEP

    49152:GLftJlJ+XnNHogttWcDRzOEtZuFno0ezgLMF1MSR4aK7:ItihoEtWsgSY5vHMES6aK7

  Score

  10^/10

  buerdiscoveryevasionloaderpersistence

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Modifies WinLogon for persistence

    persistence

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2