Analysis
-
max time kernel
133s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-10-2024 13:38
General
-
Target
7f656c531d64805eaef4d8a53ad4037f_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
7f656c531d64805eaef4d8a53ad4037f
-
SHA1
57323f4cf1c5dfa2470941e96ee3020374b9f350
-
SHA256
adeba9dd635c95106e2001882dc5741e24e333512e1616f2d99177d963c1fc5e
-
SHA512
c1054f60f3a33d300246c97a51b2e3ecdc2080abb7d046a626dd28fb8838cf689951fe04b9a675b91bf0cf629b8462df7e8fb4ca0b13fc5db124f5203b547e7e
-
SSDEEP
49152:1oM8cSFtKza7G9tnAgPFdY3227wWe8ok65D5Q5eGwX1NyCmAgJuB5PmaH:18HdKn9tG3f3rokAFN/mVQLuaH
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/873814781646225438/ACkijx2YXuDglNBz31U-f9ZPYPq_HinYgcvF7F6kp1NTV0ndFB3S5vTqYfExt5PTHw12
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f656c531d64805eaef4d8a53ad4037f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f656c531d64805eaef4d8a53ad4037f_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 21162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3820 -ip 38201⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
408KB
-
Filesize
8.1MB
-
Filesize
960KB