09f74ca0de08a2181671b49c9f399fdcfbcc8d21f08d216bbdbbb4501104f57a

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe
Size

1.5MB
MD5

e9bedfa5624c03bc97f4b483b65d8fdf
SHA1

2c3247266cf332285df6da5817e2b28f88a9f3de
SHA256

09f74ca0de08a2181671b49c9f399fdcfbcc8d21f08d216bbdbbb4501104f57a
SHA512

324bf29a17275e66da725a4a935e96f9b9a1ee5ee6f13453c61915f7f09c58540dfe7b95e8f062a4d5272f04e2487662f4020af2e56425538486ee1bf30200af
SSDEEP

24576:xnQms4iJjg5Q7wa/Dv1GHafqeh2LtKLV9zvKO8B2cIHAH9I9gNMrIs0tuo4x527B:xnqsRa/Dv4EWIzzvKO8PwgNMrStuF52t

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	TeamViewer_.exe

Executes dropped EXE 2 IoCs

pid	Process
2416	TeamViewer_.exe
3180	TeamViewer.exe

Loads dropped DLL 7 IoCs

pid	Process
2416	TeamViewer_.exe
2416	TeamViewer_.exe
2416	TeamViewer_.exe
2416	TeamViewer_.exe
2416	TeamViewer_.exe
2416	TeamViewer_.exe
3180	TeamViewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1224-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x0007000000023206-5.dat	upx
behavioral2/memory/1224-8-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2416-9-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2416-62-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\QS\SAS.exe	TeamViewer.exe
File created	C:\Program Files (x86)\QS\SAS.exe	TeamViewer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3180	TeamViewer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3180	TeamViewer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2416	1224	e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe	88
PID 1224 wrote to memory of 2416	1224	e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe	88
PID 1224 wrote to memory of 2416	1224	e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe	88
PID 2416 wrote to memory of 3180	2416	TeamViewer_.exe	89
PID 2416 wrote to memory of 3180	2416	TeamViewer_.exe	89
PID 2416 wrote to memory of 3180	2416	TeamViewer_.exe	89

C:\Users\Admin\AppData\Local\Temp\e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9bedfa5624c03bc97f4b483b65d8fdf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer_.exe
  "C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer_.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe
    "C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe" --qsc --pw ""
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso8FDD.tmp\Base64.dll

Filesize
456KB

MD5
9459a28dbb2752d59eaa8fbb5cf8c982

SHA1
4ad7eb230cf6d05df967037225fa19dd385bf7cb

SHA256
4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963

SHA512
7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8FDD.tmp\GetVersion.dll

Filesize
5KB

MD5
c6910d6e78c2e5f9d57d0bc6d8f6b736

SHA1
a395099062298b3f3c015359b227ca02a72c6e2c

SHA256
b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b

SHA512
4cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8FDD.tmp\System.dll

Filesize
10KB

MD5
cfbae93f361e2b430743e423709a483f

SHA1
9d31546592a9e6817025cc5026fee769e9a6c015

SHA256
0f4aac375087f0a5df393d7463bd462193008922136a2aba8619736223ba7add

SHA512
485bc9c83087a1a6f48a5508ee390384c2db93b9d50c295280337dad78b47f65aaa0caea8d6d23ef25f86b73cd2e724cb88a738f6b53037e47225c6522f912b3

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\SAS.exe

Filesize
53KB

MD5
bf3bcd752bdabfa1f1e84b7462738103

SHA1
34cb8ea7d47467cace271e03b7869f37b0ecb30a

SHA256
90fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810

SHA512
6d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\TV.dll

Filesize
64KB

MD5
4b030749eef3498b8efbaf2877a59fb5

SHA1
70d65a57582fa7145bcf7198e0751e5a3bfffcc5

SHA256
ee4f367a4074fa13d15eb17ae9e140d38b249959a29d6e4146c0577df2fed01b

SHA512
9a265c06a377bbcaba9b6b0e2752657701fd1fb82613d7ba520e4739108951d0059e1c8d7533a3e94928e5971a9d2fc575d3adc67f4ac768f844c63a5e11e8c7

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

Filesize
3.4MB

MD5
2e027f3b572c218c64d6a511b14a4187

SHA1
eeb9ac3cbd08834c7ae71c79fb3d77c98f174d80

SHA256
efc1c03fe3e38079ac2c12f86ba6fdcc4889a22738539e82293f9f008d60a101

SHA512
4f05f6232bf5f13a545022de1a097755d17a4d3414cf1a97d854cacb4e57ad8835778d638541632ef23730bb43dbe4b4d521cc042617aabc0f14a01b58becaf5

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.ini

Filesize
452B

MD5
864d6a8d6253aec55b990b3b178c255d

SHA1
c8a3283d6bc2cc9e7c38a401337bf43fc5fde465

SHA256
d94df105801813992dba1f18a9be3d165585a1138118f4c833fa70097c6cf858

SHA512
f22553ca2da48880543d3bf58c5ad470568b02c8103c2dbb79212fc659aa182cd8c7de104afa48313be868699081f5d2c182aec56ac8dee676c24d0403a3f503

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer_.exe

Filesize
1.4MB

MD5
acf29765d8cf2b26ecb3f8c373a1e6e7

SHA1
13c10b8f6cb01afece13c7428ee87c2c86e62064

SHA256
d0a6b4abf0cc538015de5ea61b8f812bfa115f3457c1c698cd8620aab25f8f7c

SHA512
fa210e9092b996b3ab4ecd93081a637b28b2c3f17434a0e85acfaff9904e84bf7f2aacad418af4211b84626cefe0bf4defba850081abb7631f0721fd10791635

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\logo.bmp

Filesize
51KB

MD5
ced6ada8ab91706b197996b798b6b29a

SHA1
279b57480e04968d87b3d3fc33ef62b61a7eae37

SHA256
9ac677f9f7eaf198f804e14adc550020cc5de119ea5c4c502529cc27e12c9361

SHA512
be1ea786a176df81d71e27555db5ca38d4f68febe54057f59d02560108df225a31b9bd41f066d72506c2cdb3bb4812127b7c46336818dd21f37518c45b94258e

Download Submit
memory/1224-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1224-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2416-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-45-0x0000000010000000-0x00000000100A0000-memory.dmp

Filesize
640KB

Download
memory/2416-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-68-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/3180-70-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download