Resubmissions

04/06/2025, 14:34

250604-rxn6dszkt9 10

04/06/2025, 10:21

250604-md58cagk2v 10

General

  • Target

    JaffaCakes118_0d6dd4b9d8e64a4d0d45f0f7cb3f734c

  • Size

    41KB

  • Sample

    250604-rxn6dszkt9

  • MD5

    0d6dd4b9d8e64a4d0d45f0f7cb3f734c

  • SHA1

    be182500d9325ae27ba43bbca411ccc06c9b94fd

  • SHA256

    e5704c4de88b5bef7c43a8ab6af61a0a80506e1b2fc9d16aa789601b6c4ee6de

  • SHA512

    e43d625cb613a15357237a7d96f85a5cbc027ea885b0a18e87ee6e33bc0d9b9a803ff29f60f90d65dda9c9210f452305f8308878af415c193d9f165eb03fb7e3

  • SSDEEP

    768:0scG4Ac3mbMABWawguZie9WTjIKZKfgm3Eh7p:bcT3mM8Wie9WTUF7ERp

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/866498831561785386/-XN88lELt22qbTEEdTB0HH3-hh-S38iWvyye0zi8ElR5NcY0s2rFAHuLulBbAaZSLUCl

Targets

    • Target

      JaffaCakes118_0d6dd4b9d8e64a4d0d45f0f7cb3f734c

    • Size

      41KB

    • MD5

      0d6dd4b9d8e64a4d0d45f0f7cb3f734c

    • SHA1

      be182500d9325ae27ba43bbca411ccc06c9b94fd

    • SHA256

      e5704c4de88b5bef7c43a8ab6af61a0a80506e1b2fc9d16aa789601b6c4ee6de

    • SHA512

      e43d625cb613a15357237a7d96f85a5cbc027ea885b0a18e87ee6e33bc0d9b9a803ff29f60f90d65dda9c9210f452305f8308878af415c193d9f165eb03fb7e3

    • SSDEEP

      768:0scG4Ac3mbMABWawguZie9WTjIKZKfgm3Eh7p:bcT3mM8Wie9WTUF7ERp

    • Mercurial Grabber Stealer

      Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    • Mercurialgrabber family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v16

Tasks