Analysis
-
max time kernel
142s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 22:51
Static task
static1
Behavioral task
behavioral1
Sample
120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
120e555c6bd701aecfb36f851f5a4782
-
SHA1
2e54fa8e4843e0a11169d4019fcbda27654e8096
-
SHA256
20ee9ee7d02539faf4da844dc11c849edf7c7e73cc5a7f2e38d4b2db7cef8846
-
SHA512
0bcadb8106ed698b673e664c23f599c7d97ed92f905aed1ee90ba5eb17300cbfa01f563c85dc736ba6172a47f4e13e2345b56fe330a1aa6bf5ac69d06c5487b7
-
SSDEEP
24576:rAOcZEhJBDC6qaS9P9QPrwua6TPY5I7nT1RMwa+wf:tPha59Qw96c5IzTXM7+A
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.thts.vn - Port:
587 - Username:
[email protected] - Password:
123luongngan1989 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3484-78-0x0000000000F00000-0x00000000014A1000-memory.dmp family_agenttesla behavioral2/memory/3484-79-0x0000000000F00000-0x0000000000F3C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
xsbv.pifpid process 1632 xsbv.pif -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
xsbv.pifdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\72418024\\xsbv.pif c:\\72418024\\qnnrxskm.kgp" xsbv.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "c:\\72418024\\Update.vbs" xsbv.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xsbv.pifdescription pid process target process PID 1632 set thread context of 3484 1632 xsbv.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegSvcs.exepid process 3484 RegSvcs.exe 3484 RegSvcs.exe 3484 RegSvcs.exe 3484 RegSvcs.exe 3484 RegSvcs.exe 3484 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3484 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3484 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exexsbv.pifdescription pid process target process PID 1560 wrote to memory of 1632 1560 120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe xsbv.pif PID 1560 wrote to memory of 1632 1560 120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe xsbv.pif PID 1560 wrote to memory of 1632 1560 120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe xsbv.pif PID 1632 wrote to memory of 3484 1632 xsbv.pif RegSvcs.exe PID 1632 wrote to memory of 3484 1632 xsbv.pif RegSvcs.exe PID 1632 wrote to memory of 3484 1632 xsbv.pif RegSvcs.exe PID 1632 wrote to memory of 3484 1632 xsbv.pif RegSvcs.exe PID 1632 wrote to memory of 3484 1632 xsbv.pif RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\120e555c6bd701aecfb36f851f5a4782_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\72418024\xsbv.pif"C:\72418024\xsbv.pif" qnnrxskm.kgp2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\72418024\dknxwoc.eqjFilesize
427KB
MD54639516567877fd3c7d39266ddc4667a
SHA1a441f0d50762df469b50142ac7c2d51db3a93bac
SHA256c5225ddb47320aba407642956037253ef03d1e80d6eff41002d1fbbd325f9600
SHA5125bb4310f377eec531b92bbf982341111f35070a68499629520c1dad1718b234df92f7419bdc2b3ab04002857446ea6d6afa1b8d9702ddb08384cd6ba790416c5
-
C:\72418024\prsrqhkfis.docxFilesize
56KB
MD5613ae5df2cb58af96ebf37aecd89a70c
SHA1917b1221ec7b78c5a3df1d3087f9eabe7f91f0e9
SHA2562ffe62b582951670373705aba8219e47a4c51b48ec9890a492581682eb8ea674
SHA5127e114a9aea587f99da0fed1b33296cd76e0e0c3f57b21390da6ce2e49cde2cf1d083482d6beaff52bb661de93414e57874e069882386743503c45546d1537f3f
-
C:\72418024\qnnrxskm.kgpFilesize
143.5MB
MD585a5728a74bc859321f089eb3f530e52
SHA1d431be9c6b958020ac18c17531d1f016cb39fb63
SHA25685011f1a8f5e22a42ef483b64838d770315cdd0fab46fe3bf27b3c0a4be5110e
SHA512d1ba2e5f5c820d43a021f4e416a438d659d3ad56f7b6665789278ca06367c2ffd5e2f5d1d1722976e3fce2c21458daaf322b79b8dd7854be86751b61d10c2133
-
C:\72418024\xsbv.pifFilesize
759KB
MD58e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
memory/3484-82-0x0000000005C60000-0x0000000005CF2000-memory.dmpFilesize
584KB
-
memory/3484-79-0x0000000000F00000-0x0000000000F3C000-memory.dmpFilesize
240KB
-
memory/3484-80-0x00000000726E0000-0x0000000072E90000-memory.dmpFilesize
7.7MB
-
memory/3484-81-0x0000000006210000-0x00000000067B4000-memory.dmpFilesize
5.6MB
-
memory/3484-78-0x0000000000F00000-0x00000000014A1000-memory.dmpFilesize
5.6MB
-
memory/3484-83-0x0000000005B40000-0x0000000005B50000-memory.dmpFilesize
64KB
-
memory/3484-84-0x0000000005DD0000-0x0000000005E6C000-memory.dmpFilesize
624KB
-
memory/3484-85-0x00000000061F0000-0x0000000006208000-memory.dmpFilesize
96KB
-
memory/3484-86-0x0000000006A90000-0x0000000006AF6000-memory.dmpFilesize
408KB
-
memory/3484-87-0x00000000726E0000-0x0000000072E90000-memory.dmpFilesize
7.7MB
-
memory/3484-88-0x0000000005B40000-0x0000000005B50000-memory.dmpFilesize
64KB
-
memory/3484-89-0x00000000019B0000-0x0000000001A00000-memory.dmpFilesize
320KB
-
memory/3484-90-0x0000000001A30000-0x0000000001A3A000-memory.dmpFilesize
40KB