78c3e8ab0454feee3413e08cfe00a7349e058e3432e2ad2c5927f441a78ac3d7

General

Target

6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe
Size

3.1MB
MD5

6e7bc49b91419790ae05bb2892f87481
SHA1

5332c21a808a432bb118a19b8f5123e70ba313c0
SHA256

78c3e8ab0454feee3413e08cfe00a7349e058e3432e2ad2c5927f441a78ac3d7
SHA512

7f4530a7f52f9d7bc67e5919f8c4da500d13465e09a9e46936b835709af91e1fe7cab7a63a5f62f13d6882bb93b9ea897193e886c74a3e50b6bf1efd757efd87
SSDEEP

49152:G7lHuYZXHgB6dk6agmUWUpChfWUTr/n85q7YV7crwIr2BioEm63QiKvyGaLKOQ:G7lO63g8DagSUMhOUTj8YIAVr2LAMuuX

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exeTeamViewer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	TeamViewer.exe

Executes dropped EXE 1 IoCs

Processes:

TeamViewer.exe

pid process

3104 TeamViewer.exe
Loads dropped DLL 4 IoCs

Processes:

TeamViewer.exe

pid process

3104 TeamViewer.exe
3104 TeamViewer.exe
3104 TeamViewer.exe
3104 TeamViewer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3104	TeamViewer.exe

pid	process
3104	TeamViewer.exe
3104	TeamViewer.exe
3104	TeamViewer.exe
3104	TeamViewer.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\TeamViewer\autorun.inf	6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe
File created	C:\TeamViewer\autorun.inf	6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

TeamViewer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	TeamViewer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	TeamViewer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	TeamViewer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

TeamViewer.exe

pid process

3104 TeamViewer.exe
3104 TeamViewer.exe
3104 TeamViewer.exe
3104 TeamViewer.exe
3104 TeamViewer.exe
3104 TeamViewer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TeamViewer.exe

description pid process

Token: SeDebugPrivilege 3104 TeamViewer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TeamViewer.exe

pid process

3104 TeamViewer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

TeamViewer.exe

pid process

3104 TeamViewer.exe

pid	process
3104	TeamViewer.exe
3104	TeamViewer.exe
3104	TeamViewer.exe
3104	TeamViewer.exe
3104	TeamViewer.exe
3104	TeamViewer.exe

description	pid	process
Token: SeDebugPrivilege	3104	TeamViewer.exe

pid	process
3104	TeamViewer.exe

pid	process
3104	TeamViewer.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe

description	pid	process	target process
PID 4560 wrote to memory of 3104	4560	6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe	TeamViewer.exe
PID 4560 wrote to memory of 3104	4560	6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe	TeamViewer.exe
PID 4560 wrote to memory of 3104	4560	6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe	TeamViewer.exe

C:\Users\Admin\AppData\Local\Temp\6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e7bc49b91419790ae05bb2892f87481_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:4560

C:\TeamViewer\TeamViewer.exe
"C:\TeamViewer\TeamViewer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TeamViewer\TV_w32.dll

Filesize
49KB

MD5
7a436c16696c3851ffc0cdb3f97f362b

SHA1
6f98563299871755f06912ddcd11b032fa896ec8

SHA256
cfd60cadf622518448860a0874d8d252a755d9f8a23fd3f4bb5273af193e5c58

SHA512
29b2a53b28bbe6c518a8d647e8b958f4710862aa1cfe815a8460e718c20edd9a55f3d33239169f6ddeef561cbd19dc47f855aead92fe79a2c0bd26c827740fbb

Download Submit
C:\TeamViewer\TV_w32.exe

Filesize
105KB

MD5
d7d7adf4f9b04255bcdf693670f6ef96

SHA1
017ef943805c383479fd5c381ba351386d7d0115

SHA256
06c1216a98c190d11909a7635ae9d831484c2f8b7a3d5a3e376dc7122868500b

SHA512
3c38fc755fd2287eea0ec9487540890b51ae3afa5d5493e05450e174a92fa753f7d9ea30267c67b8ea479c40b66db37b876a79d84376dc3f3d2e59034f68c86a

Download Submit
C:\TeamViewer\TV_x64.dll

Filesize
51KB

MD5
87d3dd705238cd08d885f93905fd0e13

SHA1
911bbbd4996125916bc7e849e37f9b3fce282477

SHA256
4e9645d407285a9cc2926ac9b40b76f5e03b98995c5bd52ae710e42d9b8eb9db

SHA512
01f903edc55c574b7e29ea7426d853a0a5cbfd80f2c3657df46cf09ac616622e0a13dd8adab8aba14b685181f2b6a8cca4101810951832c5117c39d0a4e12cd0

Download Submit
C:\TeamViewer\TV_x64.exe

Filesize
140KB

MD5
4cf9fd8a34fafe2b553bbb4a79e097d9

SHA1
77784c0a51cba79cceb1ae3bdca80ee03161f5fa

SHA256
3e5ef714899c41879f418fc6859623b3636c34e3fd01ea18571cb439e38582fd

SHA512
52a7f166b71f755d44f6e5acbc134a005458f491493891d478de7548c608919108763a002eaec3a2acae47ba477cbefc7a3dd879f5199f274efcab4a58b9fb63

Download Submit
C:\TeamViewer\TeamViewer.exe

Filesize
7.3MB

MD5
3dc242d675e2bacdb3b22bff000ca13a

SHA1
ceabce83a4a3dd0ca587cce9cd54052e90d0bdb7

SHA256
fb59de15670fa0254939ff20764157a5cd96d1fcb2ce73a73697e6a051387d6d

SHA512
a8f66c0e7d05280ba9d56beb6748a0f90bcd1ab41af9578308cc67a9703a297b7f0f64a396563c745b0a2ba5cdc59400f8718b27d7aff5e7127683176fe978f1

Download Submit
C:\TeamViewer\TeamViewer.ini

Filesize
130B

MD5
84fa078491baecf73c525d1aa793a495

SHA1
b4988c98a93f03747c31bde14d3c1f31462d37fc

SHA256
26d13ecbbe00b12cb09ea518d98014ae1c2cb0a32f0969e17e2e902a2288657a

SHA512
85c0127a368268a1f31e58ccbd6b763d2894612e35fad092d8fe57cf2cbfc6fd8065ff1e8229202802c9eb7eef8c77705b8bc0b3cc33dad3b4df37cf1599f3eb

Download Submit
C:\TeamViewer\TeamViewer_Resource_de.dll

Filesize
1.3MB

MD5
5e191a58a4ab6d9b490073bb361419d8

SHA1
bffd7676b6206ba248705fc816b4dcacc18d3260

SHA256
b23ee4fc714f73fc2c8b55bf3e4bad341e033b6b56a320cf1171f3f3c68de043

SHA512
6b58c0025694d0ac705987faa7a2ffd090c522d5c2773c51f8c80eff772498a363a84c764e12a1e16fb2f5df5fb644780e1748ad65111d5e0affadbab4e7506c

Download Submit
C:\TeamViewer\TeamViewer_Resource_en.dll

Filesize
1.3MB

MD5
bb97158f484d5630978188c6520beac6

SHA1
120a74126752f3ae0c371174004c40219fad6e96

SHA256
84e121bc9938dd70a5b1c9c950d829e1a36766cf87b040eced0d2b7d136e04b9

SHA512
2fa09f46770a330e7bcf1714b958ff696c8ffbb0549fd7f431bd1367db634573aef6d4071efa86a4269aac477d3d0fd6842a9647671c1c5960621ea4df676d28

Download Submit
memory/3104-99-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/3104-106-0x00000000039B0000-0x00000000039D7000-memory.dmp

Filesize
156KB

Download
memory/3104-107-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads