General

  • Target

    JaffaCakes118_a4faa6b5a2fb9b285f1ab42ea5df2f29579dcafbe0ebfb1a4c01b19f4a809d2d

  • Size

    42KB

  • Sample

    241222-hajsqaxqcr

  • MD5

    4d567d7f3450a554c9f29b2c0f548730

  • SHA1

    d36f7a42207d447e9100a73c9c6c86caa15c4fa6

  • SHA256

    a4faa6b5a2fb9b285f1ab42ea5df2f29579dcafbe0ebfb1a4c01b19f4a809d2d

  • SHA512

    4b40fe2cbbcc6a2b897d4731de06e47afa7c097b82ae2ac77bab449b6f17d0250cf3b55127ada8e74f113c66fb517696ca67ecf26c24d6d1c33c39de3abcd12c

  • SSDEEP

    768:oOdx+GZKKqqI2xnrZDzuZELGZTjuKZKfgm3EhZ/:oOGONqH2xlLLGZTCF7Ev/

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/935649173599047730/Amb2iJjE-BIZXpjqj2qYKxUrx4_FO_A8CaejXf_BIiFAmtpJ8rrDJ2VN7yDAPlHG51fo

Targets

    • Target

      JaffaCakes118_a4faa6b5a2fb9b285f1ab42ea5df2f29579dcafbe0ebfb1a4c01b19f4a809d2d

    • Size

      42KB

    • MD5

      4d567d7f3450a554c9f29b2c0f548730

    • SHA1

      d36f7a42207d447e9100a73c9c6c86caa15c4fa6

    • SHA256

      a4faa6b5a2fb9b285f1ab42ea5df2f29579dcafbe0ebfb1a4c01b19f4a809d2d

    • SHA512

      4b40fe2cbbcc6a2b897d4731de06e47afa7c097b82ae2ac77bab449b6f17d0250cf3b55127ada8e74f113c66fb517696ca67ecf26c24d6d1c33c39de3abcd12c

    • SSDEEP

      768:oOdx+GZKKqqI2xnrZDzuZELGZTjuKZKfgm3EhZ/:oOGONqH2xlLLGZTCF7Ev/

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks