Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 01:22
Static task
static1
Behavioral task
behavioral1
Sample
17311685b626728febd2b02b10bef166.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
17311685b626728febd2b02b10bef166.exe
Resource
win10-en-20211014
General
-
Target
17311685b626728febd2b02b10bef166.exe
-
Size
428KB
-
MD5
17311685b626728febd2b02b10bef166
-
SHA1
44220969370c56ffa1dd54c1c3252ccfde8a50d2
-
SHA256
010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31
-
SHA512
9ace3b7efc7f6e017b6451f73083680c629b8bac4bbbdaab3e3d6b641b4baec721342bf278183fecb2924f4f2fd8d303d6b4caa80f7ccffd261b35f26b420491
Malware Config
Extracted
jester
fanyze
http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/fanyze
https://api.anonfiles.com/upload?token=d26d620842507144
f9999b04-5f6b-47c3-830e-f07171c30d02
-
license_key
9A554B1F2269B7AF81AF6B074943117B
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1788 Jester.exe 3620 Tor.exe -
Loads dropped DLL 9 IoCs
pid Process 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe 3620 Tor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jester.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jester.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jester.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Jester.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Jester.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1788 Jester.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1788 Jester.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2772 wrote to memory of 1788 2772 17311685b626728febd2b02b10bef166.exe 68 PID 2772 wrote to memory of 1788 2772 17311685b626728febd2b02b10bef166.exe 68 PID 1788 wrote to memory of 2824 1788 Jester.exe 71 PID 1788 wrote to memory of 2824 1788 Jester.exe 71 PID 2824 wrote to memory of 1432 2824 cmd.exe 73 PID 2824 wrote to memory of 1432 2824 cmd.exe 73 PID 2824 wrote to memory of 1480 2824 cmd.exe 74 PID 2824 wrote to memory of 1480 2824 cmd.exe 74 PID 2824 wrote to memory of 3196 2824 cmd.exe 75 PID 2824 wrote to memory of 3196 2824 cmd.exe 75 PID 1788 wrote to memory of 3168 1788 Jester.exe 76 PID 1788 wrote to memory of 3168 1788 Jester.exe 76 PID 3168 wrote to memory of 3568 3168 cmd.exe 78 PID 3168 wrote to memory of 3568 3168 cmd.exe 78 PID 3168 wrote to memory of 3160 3168 cmd.exe 79 PID 3168 wrote to memory of 3160 3168 cmd.exe 79 PID 3168 wrote to memory of 716 3168 cmd.exe 80 PID 3168 wrote to memory of 716 3168 cmd.exe 80 PID 1788 wrote to memory of 3620 1788 Jester.exe 81 PID 1788 wrote to memory of 3620 1788 Jester.exe 81 PID 1788 wrote to memory of 3620 1788 Jester.exe 81 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jester.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jester.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17311685b626728febd2b02b10bef166.exe"C:\Users\Admin\AppData\Local\Temp\17311685b626728febd2b02b10bef166.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\Jester.exe"C:\Users\Admin\AppData\Local\Temp\Jester.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1788 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1432
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵PID:1480
-
-
C:\Windows\system32\findstr.exefindstr All4⤵PID:3196
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3568
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear4⤵PID:3160
-
-
C:\Windows\system32\findstr.exefindstr Key4⤵PID:716
-
-
-
C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe"C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3620
-
-