buer | a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe
Size

259KB
MD5

ac8348dd8319365d4857b1e20715c6da
SHA1

5c5b1008a7a96015f2588fd60ddc0b4739f74fb5
SHA256

a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0
SHA512

eed7640b28d4b023cd4c252ed812820221aca61f969ca2e6d5f59aad5532fae07d17401272dd36a3c49641136fa8a95d1e1d801076deb8eac97222f506f0ac86
SSDEEP

6144:nQ6ixI8UKltZMbvRrUjZMlbHHOLGqJ/89GEgr/KLUygLMh:Q6ie8UKl7M7RA1MRn5t9wrSLbK

Score

10^/10

buer execution loader

Malware Config

Extracted

Family

buer

https://kackdelar.top/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

loader

Processes:

resource	yara_rule
behavioral1/memory/2124-5-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/2124-7-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/2124-8-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/2124-10-0x0000000040000000-0x000000004000C000-memory.dmp	buer

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2704 powershell.exe

pid	process
2704	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
File opened (read-only)	\??\G:	RegAsm.exe
File opened (read-only)	\??\H:	RegAsm.exe
File opened (read-only)	\??\R:	RegAsm.exe
File opened (read-only)	\??\V:	RegAsm.exe
File opened (read-only)	\??\Z:	RegAsm.exe
File opened (read-only)	\??\A:	RegAsm.exe
File opened (read-only)	\??\E:	RegAsm.exe
File opened (read-only)	\??\I:	RegAsm.exe
File opened (read-only)	\??\K:	RegAsm.exe
File opened (read-only)	\??\L:	RegAsm.exe
File opened (read-only)	\??\O:	RegAsm.exe
File opened (read-only)	\??\T:	RegAsm.exe
File opened (read-only)	\??\B:	RegAsm.exe
File opened (read-only)	\??\J:	RegAsm.exe
File opened (read-only)	\??\N:	RegAsm.exe
File opened (read-only)	\??\S:	RegAsm.exe
File opened (read-only)	\??\U:	RegAsm.exe
File opened (read-only)	\??\W:	RegAsm.exe
File opened (read-only)	\??\X:	RegAsm.exe
File opened (read-only)	\??\Y:	RegAsm.exe
File opened (read-only)	\??\M:	RegAsm.exe
File opened (read-only)	\??\P:	RegAsm.exe
File opened (read-only)	\??\Q:	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe

description pid process target process

PID 2180 set thread context of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeRegAsm.exe

pid process

2704 powershell.exe
2124 RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe

pid process

2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2704 powershell.exe

description	pid	process	target process
PID 2180 set thread context of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe

pid	process
2704	powershell.exe
2124	RegAsm.exe

pid	process
2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exeRegAsm.exe

description	pid	process	target process
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2180 wrote to memory of 2124	2180	ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe	RegAsm.exe
PID 2124 wrote to memory of 2704	2124	RegAsm.exe	powershell.exe
PID 2124 wrote to memory of 2704	2124	RegAsm.exe	powershell.exe
PID 2124 wrote to memory of 2704	2124	RegAsm.exe	powershell.exe
PID 2124 wrote to memory of 2704	2124	RegAsm.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\f3a1e8b680609eb0e75d}"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-5-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/2124-7-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/2124-8-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/2124-10-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/2180-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x00000000008A0000-0x00000000008E8000-memory.dmp

Filesize
288KB

Download
memory/2180-2-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-3-0x0000000004140000-0x0000000004156000-memory.dmp

Filesize
88KB

Download
memory/2180-4-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-9-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download