jester | e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b

General

Target

dab3afd4e25abdc582e6325f31257ee8.exe
Size

487KB
MD5

dab3afd4e25abdc582e6325f31257ee8
SHA1

88648132d7f0b1fe59da88c696016e3b1e496fa5
SHA256

e038cd85c9da66e9517bba1e3af819a7cb1cf068fe955b8e125273d1e0533c2b
SHA512

e75b6166812fa7fb5852438a8ee8b2ad0ac48ced215c1bf8990f662efb63777164a731d899ffa743baf45671f90ef2af18c87ea43c5da57b4092536948b8bfc2

Score

10^/10

jester fanyze collection spyware stealer

Malware Config

Extracted

Family

jester

Botnet

fanyze

C2

http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/fanyze

https://api.anonfiles.com/upload?token=d26d620842507144

Mutex

f9999b04-5f6b-47c3-830e-f07171c30d02

Attributes

license_key
9A554B1F2269B7AF81AF6B074943117B

Signatures

Jester
Jester is an information stealer malware written in C#.
stealer jester

Executes dropped EXE 2 IoCs

pid	Process
3676	Jester.exe
1828	Tor.exe

Loads dropped DLL 8 IoCs

pid	Process
1828	Tor.exe
1828	Tor.exe
1828	Tor.exe
1828	Tor.exe
1828	Tor.exe
1828	Tor.exe
1828	Tor.exe
1828	Tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Jester.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Jester.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3676	Jester.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	Jester.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3676	1288	dab3afd4e25abdc582e6325f31257ee8.exe	68
PID 1288 wrote to memory of 3676	1288	dab3afd4e25abdc582e6325f31257ee8.exe	68
PID 3676 wrote to memory of 920	3676	Jester.exe	71
PID 3676 wrote to memory of 920	3676	Jester.exe	71
PID 920 wrote to memory of 3752	920	cmd.exe	73
PID 920 wrote to memory of 3752	920	cmd.exe	73
PID 920 wrote to memory of 3428	920	cmd.exe	74
PID 920 wrote to memory of 3428	920	cmd.exe	74
PID 920 wrote to memory of 3968	920	cmd.exe	75
PID 920 wrote to memory of 3968	920	cmd.exe	75
PID 3676 wrote to memory of 2144	3676	Jester.exe	76
PID 3676 wrote to memory of 2144	3676	Jester.exe	76
PID 2144 wrote to memory of 1440	2144	cmd.exe	78
PID 2144 wrote to memory of 1440	2144	cmd.exe	78
PID 2144 wrote to memory of 936	2144	cmd.exe	79
PID 2144 wrote to memory of 936	2144	cmd.exe	79
PID 2144 wrote to memory of 1248	2144	cmd.exe	80
PID 2144 wrote to memory of 1248	2144	cmd.exe	80
PID 3676 wrote to memory of 1828	3676	Jester.exe	81
PID 3676 wrote to memory of 1828	3676	Jester.exe	81
PID 3676 wrote to memory of 1828	3676	Jester.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe

C:\Users\Admin\AppData\Local\Temp\dab3afd4e25abdc582e6325f31257ee8.exe
"C:\Users\Admin\AppData\Local\Temp\dab3afd4e25abdc582e6325f31257ee8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\Jester.exe
  "C:\Users\Admin\AppData\Local\Temp\Jester.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3676
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3752
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3428
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:3968
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1440
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile name="65001" key=clear
      4⤵
      PID:936
  - - C:\Windows\system32\findstr.exe
      findstr Key
      4⤵
      PID:1248
- - C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
    "C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-152-0x0000000073400000-0x0000000073426000-memory.dmp

Filesize
152KB

Download
memory/1828-154-0x00000000738B0000-0x00000000739AB000-memory.dmp

Filesize
1004KB

Download
memory/1828-158-0x0000000000350000-0x0000000000763000-memory.dmp

Filesize
4.1MB

Download
memory/1828-156-0x0000000073430000-0x0000000073516000-memory.dmp

Filesize
920KB

Download
memory/1828-157-0x0000000073400000-0x0000000073426000-memory.dmp

Filesize
152KB

Download
memory/1828-155-0x00000000735B0000-0x00000000738A5000-memory.dmp

Filesize
3.0MB

Download
memory/1828-153-0x0000000000350000-0x0000000000763000-memory.dmp

Filesize
4.1MB

Download
memory/1828-151-0x00000000738B0000-0x00000000739AB000-memory.dmp

Filesize
1004KB

Download
memory/3676-121-0x0000020F2FF80000-0x0000020F2FF81000-memory.dmp

Filesize
4KB

Download
memory/3676-123-0x0000020F30370000-0x0000020F30372000-memory.dmp

Filesize
8KB

Download
memory/3676-124-0x0000020F4A620000-0x0000020F4A621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing