bumblebee

General

Target

JaffaCakes118_854b4397960a159cc403fc5c774b6212d5ad01fefd88cea653762b9669b06d83
Size

906KB
Sample

241222-nkfrpswqer
MD5

679baa8408331d59539565d779c24ef2
SHA1

3c9d589fbd6415e5531604689c870662d12a1ed1
SHA256

854b4397960a159cc403fc5c774b6212d5ad01fefd88cea653762b9669b06d83
SHA512

8e78387151841ac3c8ac062e2ff5c569ccbffac2e9cb7f0dedd619c7b4c58c2edb28466c43201cd8d476b9a0947b21cd64a130c3708b9d03bac584d173099749
SSDEEP

12288:/JLheHnz9VZdYXBLvQLeoIxWkYy+EG1ZK5Vo181Ni1z6MVJWgLZ4sd0gXHG4T8:xLwHz0BLv+RtEB5VOqFMagLZD5s

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

276a

C2

146.70.106.52:443

65.72.191.77:443

103.175.16.116:443

185.62.58.175:443

209.141.58.141:443

154.56.0.112:443

rc4.plain

Targets

- Target
  
  bb.dll
- Size
  
  2.0MB
- MD5
  
  5dc6a6789108ac4e667ce24142da1d35
- SHA1
  
  660db375094ffef61406b9867528a96861b323e0
- SHA256
  
  487dfd12574da32277b18f9ccf3f4143bf676e3560cec909d44db957b1b37670
- SHA512
  
  b50af80effc8724690c63ce97798792129994e6fba95d7528ebb43aeaa4996938e4cf781135b0340c6b970f36eb3e53c186abf442494bf5b02478a39fe3125a7
- SSDEEP
  
  49152:7WUC0sDBCKCyRf0C3yXGrlz7WHdUcZOiND:7W0sDBCKCyRf0C3y+cZv
Score

10^/10

bumblebee 276a evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Bumblebee family
  bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  run.bat
- Size
  
  58B
- MD5
  
  3584bb940c89b0df35c1fb9842b8cad9
- SHA1
  
  7726cc4e77d963cde5817f5df7538097ed0ab594
- SHA256
  
  a401c25778891fde443279c89813ccd714bee0b4c2ce283a19af3d11d73aeb3b
- SHA512
  
  97c6426afb10124c6f1812e157017171879d9806d73552d98e248f6376a5af3e17cce9aefe720f89fd4fdf44078ca6755921c4c1c2448b6ac6e2131c519f0597
Score

10^/10

bumblebee 276a evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Bumblebee family
  bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

5

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Bumblebee family

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Checks BIOS information in registry

Identifies Wine through registry keys

BumbleBee

Bumblebee family

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4