Overview

overview

10

Static

static

3

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

n3zarek.dll

windows7-x64

1

n3zarek.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_2a1a84b0f5f71353f09d6a01b0504e4a99b19565f2a1207ee2223a4e7918e541

  • Size

    923KB

  • Sample

    241229-a5kphaxlej

  • MD5

    1994977767f3ad174e041534df495524

  • SHA1

    ac49a4acc5460ad8bbb10cbca0be4690dd52fcb1

  • SHA256

    2a1a84b0f5f71353f09d6a01b0504e4a99b19565f2a1207ee2223a4e7918e541

  • SHA512

    11be74e9bb14b6a75f5dd1ec54d62f8621e79bdb4ceedea2b5ec5a40999a8e7e789fec99f1f75be58b89eb065fb04c33d3c8573116e0991e715e92f09ab4792b

  • SSDEEP

    24576:AfZ7tTe15AAEj18vaojQ8VxfJxzGnOlEM+4HBwSoVeoS4vdyyS3qkH:Afe15AAEYaA7fJVGnOlE6WLnYX35

Score
10/10
bumblebee276revasionloader

Malware Config

Extracted

Family

bumblebee

Botnet

276r

C2

192.119.77.100:443

54.37.131.14:443

146.19.253.56:443
rc4.plain

Targets

    • Target

      documents.lnk

    • Size

      2KB

    • MD5

      663851b4f1b3ad5acd85c4ab15493e71

    • SHA1

      32060a7f992322ac9bdf6d976d60181111b571d6

    • SHA256

      68e3bf7eec93dfd4394746769532dbc890207fd6f554c18165e8a2746b3fe2d2

    • SHA512

      0d51286f76f3f8fd292574b97803891571e3c20a110e7b830208591f69fab86941708e1751d3851724b0a12f610ba603afb259451c9e480e42fc306d0688e828

    Score
    10/10
    bumblebee276revasionloader

    • BumbleBee

      BumbleBee is a loader malware written in C++.

      loaderbumblebee

    • Bumblebee family

      bumblebee

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion
    behavioral1behavioral2

    • Target

      n3zarek.dll

    • Size

      1.4MB

    • MD5

      d5e81f4a835ec3720f27a9c8f9be7adc

    • SHA1

      ea298ca07533fdd003d31434932af6bc4fbc5f4b

    • SHA256

      a1986a81bfc049ac6d09a920ff4508dc8454ddcd92d6b8a7f52215b285501f29

    • SHA512

      6c8b0fc0bf37a74bfabf5b57cad8e30f9a115ce72e82ec385499f70e7341478eeaa68004ccdebac5be3bd964ed33ecbabfd5a24dff0c5c616a88d21095a5541e

    • SSDEEP

      24576:IafYliSc2DEvmXdcV8kVXC9XcsADUQKaSkklM9eXZNn4+abX:IafYREOtcVRy9XcsADwa6XZN7

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks