General

  • Target

    6eea66a6e9875547c9f9215428141902_JaffaCakes118

  • Size

    1.8MB

  • Sample

    241023-pmxcxa1hpn

  • MD5

    6eea66a6e9875547c9f9215428141902

  • SHA1

    d5b36df76d684df1693c359061d1de086fbe64e0

  • SHA256

    4b2ed73de06d0ca3fc62179593223adf95f7118c542d1c5a8761f0629ef0cad7

  • SHA512

    fe406ab7568715f2d07d798bbf6158615a9a7b2de299f9a816f168dea0560dc67ff769fd7dc60f5f6354adbe544a85b97f63d389df33641d9b5cb1bc0f46cf69

  • SSDEEP

    49152:4vyv0jQUJhNzP5QeQybVoXpRtbv9IjPkCh9/:4g0jQ754QtBIgS

Malware Config

Extracted

Family

buer

C2

http://lodddd01.info/

http://lodddd02.info/

Targets

    • Target

      6eea66a6e9875547c9f9215428141902_JaffaCakes118

    • Size

      1.8MB

    • MD5

      6eea66a6e9875547c9f9215428141902

    • SHA1

      d5b36df76d684df1693c359061d1de086fbe64e0

    • SHA256

      4b2ed73de06d0ca3fc62179593223adf95f7118c542d1c5a8761f0629ef0cad7

    • SHA512

      fe406ab7568715f2d07d798bbf6158615a9a7b2de299f9a816f168dea0560dc67ff769fd7dc60f5f6354adbe544a85b97f63d389df33641d9b5cb1bc0f46cf69

    • SSDEEP

      49152:4vyv0jQUJhNzP5QeQybVoXpRtbv9IjPkCh9/:4g0jQ754QtBIgS

    • Buer

      Buer is a new modular loader first seen in August 2019.

    • Modifies WinLogon for persistence

    • Buer Loader

      Detects Buer loader in memory or disk.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks