Resubmissions

16-01-2022 12:57

220116-p6z8xafdg4 1

16-01-2022 12:54

220116-p48ghafdf7 10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    16-01-2022 12:54

General

  • Target

    b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe

  • Size

    241KB

  • MD5

    7120733f34bb6d7ccf174779d3058d3f

  • SHA1

    f2392bcadf03bc4c253a95199bf4be1947898255

  • SHA256

    b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b

  • SHA512

    c39778c1e678264c15f85db3b1628e3047375f0671bfa2d756efc053e74a7289f9bc5f5807c9e246e625bfe09bc3e9b8590a67fef2a0710032521225a693745e

Malware Config

Extracted

Family

jester

Botnet

FikusCode

C2

http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/FikusCode

https://api.anonfiles.com/upload?token=d26d620842507144

Mutex

46378331-3729-449c-9a03-94f385d10a9c

Attributes
  • license_key

    D1F0DE359CBD562CCF9326AEEEA8E64E

Signatures

  • Jester

    Jester is an information stealer malware written in C#.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe
    "C:\Users\Admin\AppData\Local\Temp\b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:428
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\249872103\zmstage.exe.orig
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\249872103\zmstage.exe.orig
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/428-54-0x0000000000F40000-0x0000000000F82000-memory.dmp

    Filesize

    264KB

  • memory/428-55-0x0000000000F40000-0x0000000000F82000-memory.dmp

    Filesize

    264KB

  • memory/428-56-0x000000001A740000-0x000000001A742000-memory.dmp

    Filesize

    8KB

  • memory/1560-57-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

    Filesize

    8KB