Overview
overview
7Static
static
7658e8407e9...18.exe
windows7-x64
3658e8407e9...18.exe
windows10-2004-x64
3$TEMP/Team...r_.exe
windows7-x64
7$TEMP/Team...r_.exe
windows10-2004-x64
7$PLUGINSDI...64.dll
windows7-x64
3$PLUGINSDI...64.dll
windows10-2004-x64
3$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$TEMP/Team...AS.exe
windows7-x64
1$TEMP/Team...AS.exe
windows10-2004-x64
1$TEMP/Team...TV.dll
windows7-x64
3$TEMP/Team...TV.dll
windows10-2004-x64
3$TEMP/Team...er.exe
windows7-x64
7$TEMP/Team...er.exe
windows10-2004-x64
7$TEMP/Team...ce.exe
windows7-x64
1$TEMP/Team...ce.exe
windows10-2004-x64
1Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:40
Behavioral task
behavioral1
Sample
658e8407e9f68028acd01f749fae5fdd_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
658e8407e9f68028acd01f749fae5fdd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$TEMP/TeamViewer/Version4/TeamViewer_.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$TEMP/TeamViewer/Version4/TeamViewer_.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Base64.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Base64.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$TEMP/TeamViewer/Version4/SAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$TEMP/TeamViewer/Version4/SAS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
$TEMP/TeamViewer/Version4/TV.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
$TEMP/TeamViewer/Version4/TV.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
$TEMP/TeamViewer/Version4/TeamViewer.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
$TEMP/TeamViewer/Version4/TeamViewer.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
$TEMP/TeamViewer/Version4/TeamViewer_Service.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
$TEMP/TeamViewer/Version4/TeamViewer_Service.exe
Resource
win10v2004-20240426-en
General
-
Target
$TEMP/TeamViewer/Version4/TeamViewer_.exe
-
Size
1.4MB
-
MD5
fef783b93197986c60cd34c9b385bb91
-
SHA1
9784dabbbb4b2e0b25a00c2ffbdc6bc348813a25
-
SHA256
1db4fdc98e47ff1e9c2d242d010760425b9997ab75b6fa32848c388f8d41e29a
-
SHA512
e048882c97f87a10c302ba74d42d8a9e3830d333b95033fca748c0ad93b5c0def54104b986388301a60f44018bdeb1eae4ff0d8415028e4159401a0168e4a72a
-
SSDEEP
24576:uaTstd4Y2e+WA6KOGGeRY2lrWE/eNZ+8+THJr+PD7RhgqkvjE1zabQgNMlIOtuoZ:VTWQ3OGGeN/KPdhzabQgNMlDtuF52B
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
TeamViewer.exepid process 2772 TeamViewer.exe -
Loads dropped DLL 9 IoCs
Processes:
TeamViewer_.exeTeamViewer.exepid process 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2240 TeamViewer_.exe 2772 TeamViewer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral3/memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral3/memory/2240-50-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
TeamViewer.exedescription ioc process File created C:\Program Files (x86)\QS\SAS.exe TeamViewer.exe File opened for modification C:\Program Files (x86)\QS\SAS.exe TeamViewer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TeamViewer.exepid process 2772 TeamViewer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
TeamViewer_.exedescription pid process target process PID 2240 wrote to memory of 2772 2240 TeamViewer_.exe TeamViewer.exe PID 2240 wrote to memory of 2772 2240 TeamViewer_.exe TeamViewer.exe PID 2240 wrote to memory of 2772 2240 TeamViewer_.exe TeamViewer.exe PID 2240 wrote to memory of 2772 2240 TeamViewer_.exe TeamViewer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\TeamViewer\Version4\TeamViewer_.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\TeamViewer\Version4\TeamViewer_.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe"C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD59459a28dbb2752d59eaa8fbb5cf8c982
SHA14ad7eb230cf6d05df967037225fa19dd385bf7cb
SHA2564688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963
SHA5127dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97
-
Filesize
53KB
MD5bf3bcd752bdabfa1f1e84b7462738103
SHA134cb8ea7d47467cace271e03b7869f37b0ecb30a
SHA25690fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810
SHA5126d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955
-
Filesize
5KB
MD5c6910d6e78c2e5f9d57d0bc6d8f6b736
SHA1a395099062298b3f3c015359b227ca02a72c6e2c
SHA256b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b
SHA5124cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10
-
Filesize
10KB
MD50b96e50e5fd9b241435cfec46600b5a7
SHA11f79688c6bdd78b4e1812b110fd16d27c59b32d5
SHA25610841d8d0a0fa457a62be63af7e30e72ffaec265470dbe16c0d61cc5b111d1e6
SHA51201a5884ce81a622f81da23c4075aef4cbe68d18471908bb6082ad98bfd002c8a6c2b8069d250df0320cde22ad76eedc14a5d9369b370c2012d58575720da48b7
-
Filesize
64KB
MD54b030749eef3498b8efbaf2877a59fb5
SHA170d65a57582fa7145bcf7198e0751e5a3bfffcc5
SHA256ee4f367a4074fa13d15eb17ae9e140d38b249959a29d6e4146c0577df2fed01b
SHA5129a265c06a377bbcaba9b6b0e2752657701fd1fb82613d7ba520e4739108951d0059e1c8d7533a3e94928e5971a9d2fc575d3adc67f4ac768f844c63a5e11e8c7
-
Filesize
3.4MB
MD584a8afd4d54164c1e6e9cdf0dcd28eaa
SHA13943120c742d3adc2060e5d4479ebafd0102cee5
SHA2569ade5287b8a8b0910a01235f8c5be41bf3d19b89e92ca6416bf7827c0dadbd30
SHA5120e0783974c031d5098141a4d5cabf9f74ba60cf73e2e7e8ad8141488700df87538af5a89d6ee30152d04ed04dde0146d290bf87fd4e268f3fa82ee7dfbd035f1