Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 06:55
Static task
static1
Behavioral task
behavioral1
Sample
1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe
-
Size
980KB
-
MD5
1b8967a79880dfff1a89796c914a9535
-
SHA1
65c723076961c27a33bc59bc1915ab8c9ebd73ca
-
SHA256
3bff4a308ecd13d7ee25b1327195eb52319660f220377dfc2224ac987ad97778
-
SHA512
91070539e9c157989e12165faf5a0fbcc97027668428e3e5389193a9bf4bb9bfcb43a03f9d6807ba25c6207380d6926503ab04db4099f1957eb890b90a0384f9
-
SSDEEP
24576:rAOcZEhB5zKb28JW6WTq6ai0bagi7vzJ/:ta2E0Tq6d4a5vt
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
secure300.inmotionhosting.com - Port:
587 - Username:
[email protected] - Password:
HCBo3_tl-nKP1@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/552-75-0x0000000000230000-0x00000000008B7000-memory.dmp family_agenttesla behavioral1/memory/552-78-0x0000000000230000-0x00000000008B7000-memory.dmp family_agenttesla behavioral1/memory/552-80-0x0000000000230000-0x00000000008B7000-memory.dmp family_agenttesla behavioral1/memory/552-82-0x0000000000230000-0x000000000026C000-memory.dmp family_agenttesla behavioral1/memory/552-84-0x0000000005060000-0x00000000050A0000-memory.dmp family_agenttesla behavioral1/memory/552-86-0x0000000005060000-0x00000000050A0000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
vhlrf.pifRegSvcs.exepid process 2472 vhlrf.pif 552 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exevhlrf.pifpid process 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe 2472 vhlrf.pif -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vhlrf.pifdescription pid process target process PID 2472 set thread context of 552 2472 vhlrf.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
vhlrf.pifRegSvcs.exepid process 2472 vhlrf.pif 552 RegSvcs.exe 552 RegSvcs.exe 552 RegSvcs.exe 552 RegSvcs.exe 552 RegSvcs.exe 552 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 552 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 552 RegSvcs.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exevhlrf.pifdescription pid process target process PID 2808 wrote to memory of 2472 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe vhlrf.pif PID 2808 wrote to memory of 2472 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe vhlrf.pif PID 2808 wrote to memory of 2472 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe vhlrf.pif PID 2808 wrote to memory of 2472 2808 1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe vhlrf.pif PID 2472 wrote to memory of 2424 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2424 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2424 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2424 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2680 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2680 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2680 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2680 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2692 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2692 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2692 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2692 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2192 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2192 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2192 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2192 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1888 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1888 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1888 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1888 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1940 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1940 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1940 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 1940 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2412 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2412 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2412 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 2412 2472 vhlrf.pif mshta.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe PID 2472 wrote to memory of 552 2472 vhlrf.pif RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\50764647\vhlrf.pif"C:\Users\Admin\50764647\vhlrf.pif" ihdes.mrg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2424
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2680
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2692
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2192
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1888
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1940
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\50764647\ihdes.mrgFilesize
83.8MB
MD5e400b295e5833a76175d3573d326c011
SHA1a188ef799e43e51f99c2490fa78df682d46da713
SHA256a16d5b5bd922750123f7e8550e7b03e3297608678d318309268d71f18f7f06b0
SHA51234f0b7b9ddeb9b12a60476308e55b9bca4acc11169d67a1ed1172e8e3d75c146ba8590f3b51482171c4bdb40166ae44816a4942afa07e247bcc25c5078289412
-
C:\Users\Admin\50764647\ktguieluna.cawFilesize
428KB
MD5120aff8455f26c9ce6641cba06fed1bc
SHA1ef345967e50a3048434a1afaa66a6662a9d5cdf6
SHA256f177d13df363aef0451a8a5273b1aa0f50305686b697a2f8c9d5981a79141399
SHA5120d0f40e8405c226b40d3945f523813bb12a85c66d32e9d8a43af520f7d098b57c8b9a870699b6d5a9672ca54d602cf4614e76a20517e458a9acc1bc701eddd65
-
C:\Users\Admin\50764647\odqjo.binFilesize
48KB
MD5fce3722adadc2bfc220511ca0f56d82a
SHA1d0a8e10196459fe72abb3268ffe21c4e4610efc0
SHA2562434b0b787db2a0df7eda6bb56b9d579d577332717fa92febd5ec49606a48936
SHA51204882c774b1bd3b7943b6a7a3a7d1fe631a8f9e9a33164370a8a58150f7006a072239178bbc2c781c2a2548f633fbea856d6b4f2e7e6e6bad6cf86cebbc264ef
-
\Users\Admin\50764647\vhlrf.pifFilesize
758KB
MD5279dae7236f5f2488a4bacde6027f730
SHA129a012e5259739f24480cedfd6d5f2d860cfcdb3
SHA256415850f2706681a6d80708fca8ac18dcf97e58b8f3fdc7bc4b558ab15fc0a03f
SHA512b81276fc4d915a9721dae15aa064781a1dba665ff4864ccbdf624e8049c1b3c12a2b374f11cffcf6e4a5217766836edbc5f2376ffa8765f9070cbd87d7ae2fe8
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/552-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/552-72-0x0000000000230000-0x00000000008B7000-memory.dmpFilesize
6.5MB
-
memory/552-75-0x0000000000230000-0x00000000008B7000-memory.dmpFilesize
6.5MB
-
memory/552-78-0x0000000000230000-0x00000000008B7000-memory.dmpFilesize
6.5MB
-
memory/552-80-0x0000000000230000-0x00000000008B7000-memory.dmpFilesize
6.5MB
-
memory/552-83-0x00000000738D0000-0x0000000073FBE000-memory.dmpFilesize
6.9MB
-
memory/552-82-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/552-84-0x0000000005060000-0x00000000050A0000-memory.dmpFilesize
256KB
-
memory/552-85-0x00000000738D0000-0x0000000073FBE000-memory.dmpFilesize
6.9MB
-
memory/552-86-0x0000000005060000-0x00000000050A0000-memory.dmpFilesize
256KB