bumblebee

General

Target

JaffaCakes118_16b4b629f74149b8205efbaae92615f95e571de4865c5b1711622c89fb32e4ab
Size

1.8MB
Sample

241226-yh9bcaxlaj
MD5

ddab06691c87a685ef9ffc39824aa0bb
SHA1

cfc67c55a52e6047dbc79ab87ff92b064e1b211f
SHA256

16b4b629f74149b8205efbaae92615f95e571de4865c5b1711622c89fb32e4ab
SHA512

8b2d9d0941f271e002e4304b74e1b8101100dd8b3d65c6dbbed7c3e0b21c064e9073ec05fb8bfcffd2dea61befaccc9f3bb65a55625f0a6a7951f3b5e128c6ce
SSDEEP

49152:y0ngSHURg8UEGq36DkCigf4fnBr0YbKps6n4WikfX0WY:7ROBUEGC6gCpw/OYbGb4WRfXLY

Score

10^/10

Malware Config

Extracted

Family

bumblebee

Botnet

205r

C2

45.153.243.93:443

213.232.235.199:443

206.54.190.245:443

rc4.plain

Targets

- Target
  
  documents.lnk
- Size
  
  1KB
- MD5
  
  b359682d874fc19cf48c9e37c8fbc996
- SHA1
  
  e03f2b064fd253df039919ce9afab54fb4861d14
- SHA256
  
  9139646892f67f12dd2a9d2b43a7ae28f1556f5e42332effcf6ea17a63794a44
- SHA512
  
  c030ccc539aeb693e55cf80bcc531732426b6ca41e04cd335d3c22e4f9d812d53a4edf543133322652923d2cb3c0d68ccc0ea8399ce15a11cb21b8a50083a9b8
Score

10^/10

bumblebee 205r evasion loader
- BumbleBee
  BumbleBee is a loader malware written in C++.
  loader bumblebee
- Bumblebee family
  bumblebee
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
behavioral1 behavioral2
- Target
  
  mkl2n.dll
- Size
  
  3.0MB
- MD5
  
  09a75cb0368d0a1e54040f2ed98532e1
- SHA1
  
  bc274433558b2eaa9d0c1d2a6dd572272b1dd76d
- SHA256
  
  3231b0438157e3b91c5ef523deafd4101922e265761c11caea59099e24d40d54
- SHA512
  
  16c6419b24f9b592b8de8ee92411b09f9b159bbcb4871e0b44e8923b7144387119e50cd8248714a59dadb9ad184ae2774f979fee7790f8a42b96a3a4ce4733f4
- SSDEEP
  
  49152:EOaNZiQ4sWZwiyTtcFtaKT16MMyeZieNAol3afNU4ZjFcgc7FEE8d0+WOnxh:43iQ4sWZwiyTtcFtaKTAMMyenAol3aSS
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Bumblebee family

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Blocklisted process makes network request

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4