General

  • Target

    JaffaCakes118_c60c8153f45af6012d9f85074886fcf627e34e0c92db133207934fd3eadd2770

  • Size

    1002KB

  • Sample

    241228-3ggxxsvqgn

  • MD5

    3ec7675ef47f3cb55ba121697514c0cb

  • SHA1

    0fb433453422f3e572901ea47613d1faad1c9122

  • SHA256

    c60c8153f45af6012d9f85074886fcf627e34e0c92db133207934fd3eadd2770

  • SHA512

    f42b9063459e86847f87f07bfcd8fb3bcd4466fc0ea0b4cc229b79d79c876d599f0d795ae3c3db68f37c62a38768517416538080dccafdf3ab10ca09ca760e9f

  • SSDEEP

    24576:Q95tssxDNgLf3Rb9C0kfOhjS4K7XEo20E9HuNZp6eyJLXQUGy2IgUp46G:Q9zxDNef3RxpjeJ20E9ON2eoLX9Gy2e6

Malware Config

Extracted

Family

bumblebee

Botnet

286a

C2

185.62.58.175:443

209.141.58.141:443

103.175.16.116:443

146.70.106.52:443

108.62.118.145:443

154.56.0.112:443

172.93.193.187:443

rc4.plain

Targets

    • Target

      PRD.lnk

    • Size

      1KB

    • MD5

      ba087f3dc565e4c1dc54c5e2f581f4a1

    • SHA1

      90940bfa9973a4d455e25d09c2c0f1c4d2ffb06e

    • SHA256

      dfc5072b4874706e6ebe8c47140dedc6051f8dda92351bdea8996154e6a96ed2

    • SHA512

      c3f22c3d24d08b4fe96e097bbb192f1c47afc3933b49d20da98d33edd0fb8c6c7615a102a4f75d6f1ef50c0c85ab574e9b41be9adf780ee27b6667b3e64d648c

    • BumbleBee

      BumbleBee is a loader malware written in C++.

    • Bumblebee family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Target

      sec.dll

    • Size

      1.7MB

    • MD5

      a30bf883c38b54c3b22a2f8ccfb1bd8a

    • SHA1

      9a5ec009753040c5214b864d9d271901eb4542ac

    • SHA256

      95a6114c8b9879ebc9a0142fcd46d41dd428380a27d5b396a232f42e4a505fb2

    • SHA512

      64d3f30c8564e4eedecd7f3f8c3b1eafaa3d781fb5bef39825ea1b8fdd1f39c38ac477f08a7a147fcb2f404c32ded7ae841b5bb443070945e1aa60668838ed58

    • SSDEEP

      49152:Vf0KjZAxHascQO0L+CyceKgNdjBqYa4xvmuH6BrxUsV:VsWSNWH06CycAoTuH6BrxUsV

    • BumbleBee

      BumbleBee is a loader malware written in C++.

    • Bumblebee family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

MITRE ATT&CK Enterprise v15

Tasks