jester | 010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31

General

Target

010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31.exe
Size

428KB
MD5

17311685b626728febd2b02b10bef166
SHA1

44220969370c56ffa1dd54c1c3252ccfde8a50d2
SHA256

010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31
SHA512

9ace3b7efc7f6e017b6451f73083680c629b8bac4bbbdaab3e3d6b641b4baec721342bf278183fecb2924f4f2fd8d303d6b4caa80f7ccffd261b35f26b420491

Score

10^/10

jester fanyze collection spyware stealer

Malware Config

Extracted

Family

jester

Botnet

fanyze

C2

http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/fanyze

https://api.anonfiles.com/upload?token=d26d620842507144

Mutex

f9999b04-5f6b-47c3-830e-f07171c30d02

Attributes

license_key
9A554B1F2269B7AF81AF6B074943117B

Signatures

Jester
Jester is an information stealer malware written in C#.
stealer jester

Executes dropped EXE 2 IoCs

pid	Process
2728	Jester.exe
2168	Tor.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Jester.exe

Loads dropped DLL 10 IoCs

pid	Process
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe
2168	Tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Jester.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Jester.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
632	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2728	Jester.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	Jester.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2728	376	010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31.exe	79
PID 376 wrote to memory of 2728	376	010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31.exe	79
PID 2728 wrote to memory of 1324	2728	Jester.exe	82
PID 2728 wrote to memory of 1324	2728	Jester.exe	82
PID 1324 wrote to memory of 4788	1324	cmd.exe	84
PID 1324 wrote to memory of 4788	1324	cmd.exe	84
PID 1324 wrote to memory of 4644	1324	cmd.exe	85
PID 1324 wrote to memory of 4644	1324	cmd.exe	85
PID 1324 wrote to memory of 4776	1324	cmd.exe	86
PID 1324 wrote to memory of 4776	1324	cmd.exe	86
PID 2728 wrote to memory of 4864	2728	Jester.exe	89
PID 2728 wrote to memory of 4864	2728	Jester.exe	89
PID 4864 wrote to memory of 4256	4864	cmd.exe	91
PID 4864 wrote to memory of 4256	4864	cmd.exe	91
PID 4864 wrote to memory of 1216	4864	cmd.exe	92
PID 4864 wrote to memory of 1216	4864	cmd.exe	92
PID 4864 wrote to memory of 4372	4864	cmd.exe	93
PID 4864 wrote to memory of 4372	4864	cmd.exe	93
PID 2728 wrote to memory of 2168	2728	Jester.exe	95
PID 2728 wrote to memory of 2168	2728	Jester.exe	95
PID 2728 wrote to memory of 2168	2728	Jester.exe	95
PID 2728 wrote to memory of 2500	2728	Jester.exe	106
PID 2728 wrote to memory of 2500	2728	Jester.exe	106
PID 2500 wrote to memory of 2852	2500	cmd.exe	108
PID 2500 wrote to memory of 2852	2500	cmd.exe	108
PID 2500 wrote to memory of 632	2500	cmd.exe	109
PID 2500 wrote to memory of 632	2500	cmd.exe	109

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jester.exe

C:\Users\Admin\AppData\Local\Temp\010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31.exe
"C:\Users\Admin\AppData\Local\Temp\010207d4463874eabd3808b12355e24acab67ff55c93c075625c2a05e481fd31.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\Jester.exe
  "C:\Users\Admin\AppData\Local\Temp\Jester.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2728
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4788
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4644
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:4776
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4256
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile name="65001" key=clear
      4⤵
      PID:1216
  - - C:\Windows\system32\findstr.exe
      findstr Key
      4⤵
      PID:4372
- - C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
    "C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2168
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Jester.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2852
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-159-0x0000000075100000-0x00000000753F5000-memory.dmp

Filesize
3.0MB

Download
memory/2168-155-0x0000000075710000-0x000000007580B000-memory.dmp

Filesize
1004KB

Download
memory/2168-156-0x00000000756E0000-0x0000000075706000-memory.dmp

Filesize
152KB

Download
memory/2168-157-0x0000000000C50000-0x0000000001063000-memory.dmp

Filesize
4.1MB

Download
memory/2168-158-0x0000000075710000-0x000000007580B000-memory.dmp

Filesize
1004KB

Download
memory/2168-160-0x00000000755A0000-0x0000000075686000-memory.dmp

Filesize
920KB

Download
memory/2168-161-0x00000000756E0000-0x0000000075706000-memory.dmp

Filesize
152KB

Download
memory/2168-162-0x0000000000C50000-0x0000000001063000-memory.dmp

Filesize
4.1MB

Download
memory/2728-135-0x00000299BE310000-0x00000299BE360000-memory.dmp

Filesize
320KB

Download
memory/2728-133-0x00007FFE67680000-0x00007FFE68141000-memory.dmp

Filesize
10.8MB

Download
memory/2728-132-0x00000299BC6D0000-0x00000299BC70E000-memory.dmp

Filesize
248KB

Download
memory/2728-134-0x00000299D7A20000-0x00000299D7A22000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads