Overview
overview
7Static
static
539ce57a07b...18.exe
windows7-x64
739ce57a07b...18.exe
windows10-2004-x64
7$DESKTOP/t...r_.exe
windows7-x64
7$DESKTOP/t...r_.exe
windows10-2004-x64
7$DESKTOP/t...AS.exe
windows7-x64
1$DESKTOP/t...AS.exe
windows10-2004-x64
3$DESKTOP/t...TV.dll
windows7-x64
3$DESKTOP/t...TV.dll
windows10-2004-x64
3$DESKTOP/t...er.exe
windows7-x64
7$DESKTOP/t...er.exe
windows10-2004-x64
7$DESKTOP/t...st.exe
windows7-x64
1$DESKTOP/t...st.exe
windows10-2004-x64
3$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 11:37
Behavioral task
behavioral1
Sample
39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$DESKTOP/temp/TeamViewer3/TeamViewer_.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$DESKTOP/temp/TeamViewer3/TeamViewer_.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$DESKTOP/temp/TeamViewer3/SAS.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$DESKTOP/temp/TeamViewer3/SAS.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$DESKTOP/temp/TeamViewer3/TV.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$DESKTOP/temp/TeamViewer3/TV.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$DESKTOP/temp/TeamViewer3/TeamViewer.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$DESKTOP/temp/TeamViewer3/TeamViewer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$DESKTOP/temp/TeamViewer3/TeamViewer_Host.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$DESKTOP/temp/TeamViewer3/TeamViewer_Host.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/GetVersion.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
General
-
Target
39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe
-
Size
932KB
-
MD5
39ce57a07b5dfc971c3ce0d76a9f70a3
-
SHA1
3b3f8f7466d0a199f45ac418042646d1927864d3
-
SHA256
d5c99d6cab73d6d4fe837adcaabfd38b32f7bdea37546b86d3336aac3d8a1f60
-
SHA512
a8529f2b260af96f0e3b5a6a6e61c10eeae6276442856027df745f21433b02b84d75991cfd3127687022e6c984f43aa67fb0a133eb512e7370d7383fde4e84ad
-
SSDEEP
12288:mQ9fTnBt6urJQ34Lp05r7r5Tck0B6TYNYuPp9B97ucc6n0iXi0nxmhFL6r5cHG92:7nTNQ34L+Tck0BGKhhc65xcFS5cHeOcQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2348 TeamViewer_.exe 1636 TeamViewer.exe -
Loads dropped DLL 9 IoCs
pid Process 2560 39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe 2348 TeamViewer_.exe 2348 TeamViewer_.exe 2348 TeamViewer_.exe 2348 TeamViewer_.exe 2348 TeamViewer_.exe 2348 TeamViewer_.exe 2348 TeamViewer_.exe 1636 TeamViewer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2560-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00080000000143c3-3.dat upx behavioral1/memory/2560-10-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2560-7-0x0000000000500000-0x0000000000534000-memory.dmp upx behavioral1/memory/2348-54-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\QS\SAS.exe TeamViewer.exe File created C:\Program Files (x86)\QS\SAS.exe TeamViewer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TeamViewer_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TeamViewer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1636 TeamViewer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2348 2560 39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe 30 PID 2560 wrote to memory of 2348 2560 39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe 30 PID 2560 wrote to memory of 2348 2560 39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe 30 PID 2560 wrote to memory of 2348 2560 39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1636 2348 TeamViewer_.exe 31 PID 2348 wrote to memory of 1636 2348 TeamViewer_.exe 31 PID 2348 wrote to memory of 1636 2348 TeamViewer_.exe 31 PID 2348 wrote to memory of 1636 2348 TeamViewer_.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39ce57a07b5dfc971c3ce0d76a9f70a3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\temp\TeamViewer3\TeamViewer_.exe"C:\Users\Admin\temp\TeamViewer3\TeamViewer_.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\temp\TeamViewer3\TeamViewer.exe"C:\Users\Admin\temp\TeamViewer3\TeamViewer.exe" --qsc --pw "Lerchenberg"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1636
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5bf3bcd752bdabfa1f1e84b7462738103
SHA134cb8ea7d47467cace271e03b7869f37b0ecb30a
SHA25690fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810
SHA5126d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955
-
Filesize
464B
MD50c5e8d5fddda4a6f89e8796108a01d59
SHA11684a8467750d5ee5dca693c6516b0bb31f6553f
SHA256d7e157855ff7c7fe042e9016a269cfa5d085d42c70da76a1b89a813765113488
SHA512312d2c7278daf934ea91474115bea4d96761eab92fee29ea1b3e5662ec149c8edceaeb5ec4ab00cacc3b00deddac4565f17ef46b369e2bb9a27f2d62337ac237
-
Filesize
21KB
MD529c70c4c02633a22c402a27024984388
SHA1aeb95beacc3a4e922bc688f028680bd9a2662131
SHA256ebce930acc2a6d0c409ac7ebe2e11f5f9341d7d16a3dd8fba0208b98b20aaa31
SHA512dea3b7acb7b3a2085d26da69edc60fdd177da51449c202cd5caf1f5db92177e9dcec2c0a58c17960053be07ace04c0f0d39bec42f5f17502e1e9f26853b58c08
-
Filesize
5KB
MD5c6910d6e78c2e5f9d57d0bc6d8f6b736
SHA1a395099062298b3f3c015359b227ca02a72c6e2c
SHA256b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b
SHA5124cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10
-
Filesize
10KB
MD5cfbae93f361e2b430743e423709a483f
SHA19d31546592a9e6817025cc5026fee769e9a6c015
SHA2560f4aac375087f0a5df393d7463bd462193008922136a2aba8619736223ba7add
SHA512485bc9c83087a1a6f48a5508ee390384c2db93b9d50c295280337dad78b47f65aaa0caea8d6d23ef25f86b73cd2e724cb88a738f6b53037e47225c6522f912b3
-
Filesize
9KB
MD55a2e1b4cecb98719af9215ef291a4215
SHA148993673bf8d1e89a8baf89eb022c1c54f6b6d6e
SHA2568d3f87d3d98056f7926202846e7e3098802ae9594b5eac5bc029cf17cedfb1bf
SHA512bdbbfd4b9d51df8ac8aac7a635ec7a1fd2454c9ddf5be376866348d8d6821f4db1e0f7dcc314849794a2b9ac594236ec4fad4b1cd53b14b0040e325727f9cbb2
-
Filesize
2.3MB
MD56e1618f999e32fef59e16b0806b71af9
SHA1c429f254240e7a67a7c2af82df07c9de0ab125d7
SHA256c552471c74f7365526877c53268c829ff52f8b3d6e56e655f72cb23dbe4b601d
SHA5125127032eedc9a7d32eec006017909031eafd85f6a3c92f5ab59520cfb5668b372dab0033090268b5b69747bab2b87139cdbceaeb64adf05f850c37377ee4e2b4
-
Filesize
884KB
MD5c19e56f4daf7c0e6b53dcfdc9a4216a5
SHA1bf06fc8c2e083161b7fb11d2623c9bf80d6c5c0b
SHA2563c7dd6337762b634b1683026a92e92255c4fa9ed19cf93bbe9bfa5beb42e656f
SHA512bee1b2894981b2e6c30dc411f415b6f00acb2a757f7bdc24c1779777b4f83cec453341894cc06f727a6bec7798f746f3fd44ca3cdbbdbf730aa78177ee0843d0