General

  • Target

    JaffaCakes118_dd2eaf56b19754263073fbf64bc00e236de3053c303ffc63bf0e7821b6ac6d64

  • Size

    928KB

  • Sample

    241223-3fp7xavngl

  • MD5

    8b10a12dc86ecb89f5aeb097db5eca30

  • SHA1

    0c82a65ce6338c4c6446f67551866c12e5381912

  • SHA256

    dd2eaf56b19754263073fbf64bc00e236de3053c303ffc63bf0e7821b6ac6d64

  • SHA512

    a92f91ac66cbb32177e145efb383c2272bc6f3a5fe058df00c0228189487a883922b63dfe033ca821fb56e453c5e5190e7a535e60178a90f327a870e12caf428

  • SSDEEP

    24576:E3/7KI6g3dllZddRYzeKpdXui8kNesbJVQb:0GI3FZjRqeKMs7Qb

Malware Config

Extracted

Family

bumblebee

Botnet

276l

C2

172.93.193.124:443

45.153.241.64:443

45.153.241.19:443

rc4.plain

Targets

    • Target

      documents request.lnk

    • Size

      1KB

    • MD5

      c792b04c766ab57b49f5cfe33552a0ba

    • SHA1

      badce1297ba8768de589ebae02c955fc99dd3fbe

    • SHA256

      ccbd285306a104b9c4318202bc4afa15af5d285215922877086be4f928494112

    • SHA512

      f9351239f546174314f2ddb2e311a9b8053ca2ab2d59d11541822f2df453ccd8faa477564ef19a5815b72c90f738fdabfc6c03592e9c9f81f18c254e79ff2747

    • BumbleBee

      BumbleBee is a loader malware written in C++.

    • Bumblebee family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Target

      stats.dll

    • Size

      1.4MB

    • MD5

      c978236aacb56975104135b96301fd79

    • SHA1

      bc9e252dbbbb25a7d3895abf7873ad14ee36c268

    • SHA256

      b8e8284f3e999db3333a0a8e79132cce4462ccc3c5875b1be7f5e9a2d8e44966

    • SHA512

      b6f3a476361b2fe7f262486a0b9167555ec77e5915def548c4b4b01bc93cb0e853b1f64f7177998f4216476e8e5e0cc7151f017252a9f0caef1da3c2baa3871c

    • SSDEEP

      24576:OsgeDrXBXQS1d7ns+pHB7e0L3/SQUOyxv0dzf9044vunpt:OsgeF7ZsaJR3/SQUO+0dLcv

    • BumbleBee

      BumbleBee is a loader malware written in C++.

    • Bumblebee family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

MITRE ATT&CK Enterprise v15

Tasks