Overview

overview

10

Static

static

3

JaffaCakes...54.exe

windows7-x64

10

JaffaCakes...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-01-2025 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_211bc13475836d338efad27fcfb93854.exe

  • Size

    784KB

  • MD5

    211bc13475836d338efad27fcfb93854

  • SHA1

    4014d439c4408ade5aad8b9821fedf8d762e1bbd

  • SHA256

    14c880901bd29af48aabce0d923ea3c5a29dee581232eb01b73ab73e4044df5e

  • SHA512

    b70133311794c551439fac00717799cceda66afa1970dab395ff1bd6e5dd4af776338c14abb459fb81780127f6b0cc477dfdb2bfbfc1f27e2732bafce6703207

  • SSDEEP

    24576:DR+cl7X1BRnI6hmebOe19fNaBA+ZVv3Irk/mRK:1+clb1BRntmeSK9fNaBA+ZVfUCb

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/897297549470363709/qD_guPuyDUYvIFaoZvjt6eHBw1yKtKL8VS_ITLOh8nRCLA8dRnaCYOA7UVl0ovkMLw1r

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_211bc13475836d338efad27fcfb93854.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_211bc13475836d338efad27fcfb93854.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\batch.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\comprimir.exe
        comprimir.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Users\Admin\AppData\Local\Temp\a.exe
          "C:\Users\Admin\AppData\Local\Temp\a.exe"
          4⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2748 -s 1408
            5⤵
              PID:2608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a.exe
      Filesize

      247KB

      MD5

      66571befffae12f2aeaa21aa7094ef18

      SHA1

      84c7bf139a3bb6ee67d5f3d467407f5f1f399d3e

      SHA256

      1b2c86cb901a4d34502c4e05f70b7fa5ca40a7405bf59ec8bf3e8a0b6b2f2856

      SHA512

      b74ea304256ad785674d2f36b37f459521bed43123d0d16d09f385a62f298f9e207a8017f481e7cf9d69e653cf12018fc8b246b48aca1fb32579c313390fec8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\batch.bat
      Filesize

      28B

      MD5

      4ecd7c3b3fd43f3c21e16efe832b7e7e

      SHA1

      2d6575b701bbd29aa404c6dc1293c7c63306df7c

      SHA256

      90e350e62fb59b8c695954c655ff40b89608f4d0b284193bd0d4ea97fbbf5f89

      SHA512

      5cfbea290db5efb0699bebfed3fa8a6798ed620fc4572a434a21e73ac80f09c145da9c9994703f34bc5506cad1d832eef4cd9e129ba32e929dac118622eedf63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\comprimir.exe
      Filesize

      430KB

      MD5

      b106011be5b40fd67b51268916aeab8c

      SHA1

      41dafce45060597050bed7a031bbf3f220368eaf

      SHA256

      37aec58ffaf1bd4be80921f848089af195d2a3fd726818e95efdb236a577e0ae

      SHA512

      190aba1687a509fda5f0874cb6ccd6452c9533505ab0c86c0edee775606ec44c86c8eca478f66a5f5ee1a8046945a6c9b9a5ec5161555541db814e2c0fb23121

      Download Submit

    • memory/2748-33-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2748-34-0x0000000000B00000-0x0000000000B42000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2748-35-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

      Filesize

      4KB

      Download