Overview

overview

10

Static

static

7

7f656c531d...18.exe

windows7-x64

10

7f656c531d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f656c531d64805eaef4d8a53ad4037f_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    7f656c531d64805eaef4d8a53ad4037f

  • SHA1

    57323f4cf1c5dfa2470941e96ee3020374b9f350

  • SHA256

    adeba9dd635c95106e2001882dc5741e24e333512e1616f2d99177d963c1fc5e

  • SHA512

    c1054f60f3a33d300246c97a51b2e3ecdc2080abb7d046a626dd28fb8838cf689951fe04b9a675b91bf0cf629b8462df7e8fb4ca0b13fc5db124f5203b547e7e

  • SSDEEP

    49152:1oM8cSFtKza7G9tnAgPFdY3227wWe8ok65D5Q5eGwX1NyCmAgJuB5PmaH:18HdKn9tG3f3rokAFN/mVQLuaH

Score
10/10
mercurialgrabberdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/873814781646225438/ACkijx2YXuDglNBz31U-f9ZPYPq_HinYgcvF7F6kp1NTV0ndFB3S5vTqYfExt5PTHw12

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f656c531d64805eaef4d8a53ad4037f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7f656c531d64805eaef4d8a53ad4037f_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1312
      2⤵
      • Program crash
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2116-0-0x0000000000010000-0x0000000000836000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2116-1-0x0000000075924000-0x0000000075925000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-4-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-19-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-25-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-24-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-23-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-22-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-21-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-20-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-18-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-17-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-16-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-15-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-14-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-13-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-12-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-11-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-10-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-9-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-8-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-7-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-6-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-5-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-3-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-2-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-29-0x0000000000010000-0x0000000000836000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2116-30-0x0000000000010000-0x0000000000836000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2116-31-0x0000000000010000-0x0000000000836000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2116-32-0x0000000075924000-0x0000000075925000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-34-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2116-38-0x0000000000010000-0x0000000000836000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/2116-39-0x0000000075910000-0x0000000075A20000-memory.dmp

    Filesize

    1.1MB

    Download