Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-01-2025 00:18
General
-
Target
JaffaCakes118_037ce49f267667b679cbf2fb94001f28.exe
-
Size
4.0MB
-
MD5
037ce49f267667b679cbf2fb94001f28
-
SHA1
b3f0b51f189a62f04817b37d428e8aef9f6b8e7e
-
SHA256
9d37032e823df7f4a195dfbee978c3a9657dd9e658d6a1708922b3ba8e04675b
-
SHA512
35779c857861dfc2cfcc57016a8cc1d60caf90eae31f3ab0cece943243eca983a13a8238375cbad499eceb395e841e8047330700775c592a3bee348d16a05160
-
SSDEEP
49152:NExtvMTqVBGxMQg3Q3cX5C/wnvdAlPjcmYl0XzrT:A0TqnAX
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/874761712887300207/BmuphDWQjfFNAYHKgDrSKEZfCgrbPOvKYqgTtH0j7Fq8wKrMzpEHuiIW7H_YPhGUC74t
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_037ce49f267667b679cbf2fb94001f28.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_037ce49f267667b679cbf2fb94001f28.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 21882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2920 -ip 29201⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB