Malware Analysis Report

2024-11-30 06:32

Sample ID 240612-vp2y3awfpq
Target a172fc22a79865d753796978f67df0bb_JaffaCakes118
SHA256 b6d766a2b873cf8bb718d897a27c208e0398d8fcd1c46ac748fa3c3055893104
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b6d766a2b873cf8bb718d897a27c208e0398d8fcd1c46ac748fa3c3055893104

Threat Level: Shows suspicious behavior

The file a172fc22a79865d753796978f67df0bb_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:10

Reported

2024-06-12 17:13

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a172fc22a79865d753796978f67df0bb_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPCREMOTE_en-idc3439umh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a172fc22a79865d753796978f67df0bb_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a172fc22a79865d753796978f67df0bb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a172fc22a79865d753796978f67df0bb_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3668,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPCREMOTE_en-idc3439umh.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPCREMOTE_en-idc3439umh.exe

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe" --configuration 3439umh

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer12_Logfile.log

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer12_Logfile.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 configdl.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp
US 8.8.8.8:53 ping3.teamviewer.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPCREMOTE_en-idc3439umh.exe

MD5 bc17bbd7dac89fbdcc5fbf66f395d3a6
SHA1 8dffdd70255920ad2df3d0a4bfe50099d85d29fa
SHA256 42892c2cd7ba008c1297278ee41fa818a9375f38ef42d9c33d65f922b2fd6dd4
SHA512 4dd41458b89781afcdee85c9d677657d801ae12d6783d3c77a0739c17e159c2452e268b03d10a7adfc4cb26bee074e76c8690712fad002419c682ec7d05ed893

C:\Users\Admin\AppData\Local\Temp\nsb22C7.tmp\TvGetVersion.dll

MD5 b1c0c4b14c3b6787ab1e1e4f91579c4a
SHA1 f099b16e9e33decafee22da17574771968565c58
SHA256 f89a02e858183d373d35dfffc21359acf3d45eb96f8206c3581ba05ce49d2023
SHA512 76718483b8f07704409a69b9a4613e9fc48fad0dc0b9dd9f435e44d1f174dce6ae8eec56c94e24b0a289aa78c5421e2258f977c12182e1422570fd33f1cf463b

C:\Users\Admin\AppData\Local\Temp\nsb22C7.tmp\System.dll

MD5 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA1 10c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512 cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

C:\Users\Admin\AppData\Local\Temp\nsb22C7.tmp\nsis7z.dll

MD5 87853c0f20f065793bdc707ece66190b
SHA1 738e11a9a565923ec75400a0cd4bce4db257b21d
SHA256 66b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512 febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2

memory/2740-28-0x0000000006A50000-0x0000000006A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe

MD5 0845a0c0ad188ece8d013174ea2e16d9
SHA1 c5674d149d4408e369da52cd7a88a96a9c8256f5
SHA256 df128d2bed4b62e1b51fcde808cd0fb25561440684eb51bfe85729c6017a5b5d
SHA512 dd65ea134d47aa16548aebba606f0ca9be5f9f72811ca1675bf1560cafa7780ce11c3fd66874eb3a32ebb02666a4c84d9abc09bbd077bbb6eab053aaf3adec2f

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_StaticRes.dll

MD5 b8fa15355c889d14dff87fa723c336e1
SHA1 ff33f4fab283d9ba75088c755931ecc49223e640
SHA256 c917e01bfa61d9f98fb21a4fd416a27c0dd1e063cff711bed9b23339f6ae3556
SHA512 9fda6621e50d72290b14671f78b7f634234321ddb8bf9cad27f3bef88eedb18ac07a6c431143fe2c39e1d719cd2b5efff79556482688f554aeb81a556d00d0ff

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.exe

MD5 fc1ec1e1f5b894f21f994563ee0deb5c
SHA1 9afa1cb08f46611c0bffda15eecda1e148ef24a6
SHA256 02348a9bcfd2ee3b07a4fcd4575b3774f777ec9c01cc674aeaae113a87d1e02f
SHA512 2b1146ebe451f49169281972daa8d617c3f73a51c79063b345d55989582b8c33f80105d4697a177ddcd4465224c502e125e779b79788beb7dfb9e99923673a6d

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.dll

MD5 3c09a063e09c15d85d286c6787fcc982
SHA1 197fa541b14bda5aeeaf16bc058fc78864002dae
SHA256 8d6c45de7afc008ad2bac1a0ab364c21844f5aefd23ec7562f46c445243a3178
SHA512 2f3501b2455a0e189864e34c8e30e625a44f7233195685d32d273dc30c12c94d9e63d18bcec07f49aa1c4ff71052fc9e9f4465ec7ed258fed04f25bc87d8bf6e

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.exe

MD5 b2e31add16c2e3e8408330443839c1fd
SHA1 2ba56ea53c3b1fb544e5cb6dc3fbe94c9c24a57b
SHA256 40535e5d76eaec277089c24578925bdf8efd42e0be015285cce4897f41eedb05
SHA512 1fd8a838bc14a6bff6d097c0d1ee05bea59be242dc78dd9ce68d54bc503d6e7dc5af3ee570df904b027caa1dd83a5b6ea5d784e525bfab6a75e1b815dadc8b71

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.dll

MD5 7a41da04d8845f15d45a48ee41456ff0
SHA1 05a367a773891015fa5c79758e0c5acd0dbfe92f
SHA256 66f1a2040a1fe4e08e3354db8ca896d123d6ada86d8885ce75b2d3128e5aafab
SHA512 06422cac12efe9d92b79824265f7f763d996234fc144ffed52f8d7f00c3a2928ec61fcaa21f44e1de73b1f2e603826ddcf46505c6b37d12621eb4761d7a16da2

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_en.dll

MD5 5ab93337d708b6b53020a0fd9767f637
SHA1 d7ed832529a36167de542f4c6b0fab16ca7c43e7
SHA256 af8ed7f91f7ac70722d3e1e9b4861022349b3bf2f94231ac4de77a4f1c301262
SHA512 5c1d19f445974e048f8ef46cb18425207ad4735236e85a1e4f0479851876939a7fb1dc59d76d042998af1942ed30880de9977678b8a789231b5a9bc5309cf854

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

MD5 76a395867fe4173bf83900fa6b12965e
SHA1 eddc7e1c1ea41b89c942815f8d87a2d240546474
SHA256 7a4c6c0b39b79bb9f1f224382b67fd22bb36f681e9616b1755b517d48053000c
SHA512 e6e2c96d0f49a34402ba0d17bb5fcae25187075fa86d97935259af6abc4d013964a0aab1474a3680309124c33e486841eccec915738ac49282bf3d33d4f200ad

C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer12_Logfile.log

MD5 64b7551a0fc394508343e487d04fd1cf
SHA1 8b39640f52485d9a636e8f1e52da20d3293db838
SHA256 d4252cb296a5dc7f3e7195bbdd77d8e4b425aee86deab6f5a8867a050d8b4e18
SHA512 5a55b3b2cbf0d3c9129d15e1a673ff0d56b432086850bb5b0fdde1a64327310fc44ddb47ff739c5e38482654e3856c1d488bea2c9413f2b2fd060024e197d4e1