Overview

overview

10

Static

static

10

d41eebef8d...18.exe

windows7-x64

10

d41eebef8d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d41eebef8dcc0c21529bedf93c6b1287_JaffaCakes118.exe

  • Size

    3.2MB

  • MD5

    d41eebef8dcc0c21529bedf93c6b1287

  • SHA1

    dd314781d2656e47643d28861428ac3af2a0bf03

  • SHA256

    6a5828ebe60437b32192ea3a81ea04e90f24dc9b352b1680781cc22c742ff946

  • SHA512

    a0c022800cc24407c5700f0e5660491a1d6a7f0524e7db78bcadb3a1d8b8eeebd5074a75dc2fbc20df2068c4ccd7565dc18379bf6383c8204e6240c5bc112466

  • SSDEEP

    49152:anrhr/vAcWKv6X3o0GQN0s/g/ybPUt81yyxYHm9m9h2nrhr/vAcWKv6X3o0GQN0G:an/WG6H/THYHmucn/WG6H/x

Score
10/10
mercurialgrabberdiscoveryevasionexecutionpersistencespywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/886481040066084886/GavBAVIAnFkUCCzUAQgvH3xsZO-NLNK2GcXhcJBrSYy-k1gyyyCyjZ6VzxoNFb_9RIZb

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d41eebef8dcc0c21529bedf93c6b1287_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d41eebef8dcc0c21529bedf93c6b1287_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d41eebef8dcc0c21529bedf93c6b1287_JaffaCakes118.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Users\Admin\AppData\Local\Temp\7Cxg2LaldC.exe
      "C:\Users\Admin\AppData\Local\Temp\7Cxg2LaldC.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7Cxg2LaldC.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1972
        3⤵
        • Program crash
        PID:5104
    • C:\Users\Admin\AppData\Local\Temp\9GgLVXv6Dw.exe
      "C:\Users\Admin\AppData\Local\Temp\9GgLVXv6Dw.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 2152
      2⤵
      • Program crash
      PID:1108
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4648
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4716 -ip 4716
    1⤵
      PID:2500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4124 -ip 4124
      1⤵
        PID:4888

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      2
      T1120

      Query Registry

      8
      T1012

      System Information Discovery

      7
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        e266e147d35134e64a07bf80f316b85c

        SHA1

        0b34529fce30e42dc4a4b5d8a8df7e195a122664

        SHA256

        92e4595741283b6bdf988e0ff07ba6b1a74dde7cb33b82cdd9aea073d23f552d

        SHA512

        46989a0cdd588b747b14c70aefc07d375e5910fe601bb4bcd51d3e57915066949102cf31aa950e72ab51e6b8f189e3de2bcf087af0d4959a0d2926454975a283

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7Cxg2LaldC.exe
        Filesize

        1.4MB

        MD5

        0998ebd47787a9e139a4eb9378f7801f

        SHA1

        4896fbb126c9cf03b9454030188f644416e7068e

        SHA256

        934d176a2b4df76195cffd2c4993208cc1a222e599b9c9172c01bfb97a668397

        SHA512

        7c824bd53611b76caaf458bbed1c419da0bd61f56290f7622e60469e5976aa6342beaa3b8ef95b4a1df0477c1a2d0a85a1fc8166fa6419daee8af107f3372352

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9GgLVXv6Dw.exe
        Filesize

        41KB

        MD5

        3eef3b30e3f25541c7ccfcf1dcee03b3

        SHA1

        aa01479ba8072c0f63f7f8f27a81f01281276ab9

        SHA256

        7616a7fa35d002ac2938172487f567953895a72e2a4b1e9bf6b8cc8ae91ea69b

        SHA512

        c21045b5c0c14f0841c5d4390820f5c27a223e4ca483782e8d9ddb5a277997b5a2c27ac261d5bfcc5471636c432900e54b54eaa6455891426505691286f23465

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgklzz3b.ibp.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/3092-104-0x000000001C380000-0x000000001C4EA000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3092-50-0x00000000008E0000-0x00000000008F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3944-12-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3944-64-0x000000006F8E0000-0x000000006F92C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3944-11-0x0000000004910000-0x0000000004946000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3944-97-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3944-94-0x0000000007510000-0x0000000007518000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3944-93-0x0000000007530000-0x000000000754A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3944-26-0x0000000005010000-0x0000000005638000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3944-92-0x0000000007430000-0x0000000007444000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3944-38-0x0000000005890000-0x00000000058F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3944-37-0x00000000056B0000-0x0000000005716000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3944-91-0x0000000007420000-0x000000000742E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3944-44-0x0000000005900000-0x0000000005C54000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3944-36-0x0000000004F00000-0x0000000004F22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3944-90-0x00000000073F0000-0x0000000007401000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3944-52-0x0000000006260000-0x00000000062AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3944-51-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3944-79-0x0000000007470000-0x0000000007506000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3944-10-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3944-63-0x0000000006E80000-0x0000000006EB2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3944-75-0x00000000070C0000-0x0000000007163000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3944-74-0x0000000006480000-0x000000000649E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3944-76-0x0000000007840000-0x0000000007EBA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3944-77-0x00000000071F0000-0x000000000720A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3944-78-0x0000000007270000-0x000000000727A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4124-24-0x0000000000010000-0x00000000002B2000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/4716-62-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4716-4-0x0000000009B30000-0x0000000009BAC000-memory.dmp

        Filesize

        496KB

        Download

      • memory/4716-5-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4716-6-0x0000000005830000-0x0000000005DD4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4716-7-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4716-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4716-3-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4716-2-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4716-1-0x00000000006E0000-0x0000000000982000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/5048-80-0x000000006F8E0000-0x000000006F92C000-memory.dmp

        Filesize

        304KB

        Download