Overview

overview

10

Static

static

3

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

oblot.dll

windows7-x64

10

oblot.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_086b85d86b1f8d8ce1140c1df1e9e0168c86d39caf4b9c83a68169248d1bdaf2

  • Size

    693KB

  • Sample

    241226-yd535awpf1

  • MD5

    b5685696a3d46cb8e9257165ec50803c

  • SHA1

    a8bcbba52695ef94df2895de43970b508c2d6e64

  • SHA256

    086b85d86b1f8d8ce1140c1df1e9e0168c86d39caf4b9c83a68169248d1bdaf2

  • SHA512

    4e10ba19cca47013c1be5420971db0e63a8e8202642d3803c7a9711453a6b56f906856d05a749125a2203bd2b0a28f45a3d87b6b443928f245a354f45ba7ba39

  • SSDEEP

    12288:gAtefwaqgab0YjX9e6h2mhpL47A+L+9g8R8s+bDFqEkvQwgh22ny0GxBsT:gAtuncCX0dg2gHs+bI7yy0B

Score
10/10
bumblebee0905revasionloader

Malware Config

Extracted

Family

bumblebee

Botnet

0905r

C2

23.227.203.120:443

51.83.253.244:443

23.227.198.195:443

146.70.106.92:443
rc4.plain

Targets

    • Target

      documents.lnk

    • Size

      1KB

    • MD5

      4f300f88560cda15d8b3987d6cb2c16b

    • SHA1

      3696719d0d36303679453c0b37efabaaea52d1d9

    • SHA256

      f0f027a7a2ec074b492dd2bbdfb35bc9283bc123a6b5d98c7628340eeb6b26d6

    • SHA512

      037da28a415916d9a3a6f995a17abd87d4f731a3cc6f775d657582824be7be4590576a00738c16833579390b0be883264a8b1ab6e34151bde39c7fb493f36ac2

    Score
    10/10
    bumblebee0905revasionloader

    • BumbleBee

      BumbleBee is a loader malware written in C++.

      loaderbumblebee

    • Bumblebee family

      bumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      oblot.dll

    • Size

      1.3MB

    • MD5

      9ef13647102e4284c30a7e3d3e2227c0

    • SHA1

      36709e87fa7a99589253b45d842470315a67e2ca

    • SHA256

      2457a1b0008c7059b5d58fffadad4e71f8332e9c09ac55f34b0a078363c29c87

    • SHA512

      5ee2bd350f51a99bf7e467f9a868be58abcf177d831af7b24dcb8698182fadc60548363f8b7f16188b187800688eef1428c12c4b8a5fe325345b41360e981690

    • SSDEEP

      24576:waBf87gheqqqguvaURKZX7FvqJ3eWrcQmS0FMnRWN3FctRdTaEg7v7mIPb9XJzb:gYaeO

    Score
    10/10
    bumblebee0905revasionloader

    • BumbleBee

      BumbleBee is a loader malware written in C++.

      loaderbumblebee

    • Bumblebee family

      bumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks