Malware Analysis Report

2025-08-05 10:00

Sample ID 240403-x1zzysab7z
Target a4743f85829f12bab113bf304e4f2905_JaffaCakes118
SHA256 19512e9e5b4d093d9f1677753939165e85bf5d6b7bae01127520b155e6c4f287
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19512e9e5b4d093d9f1677753939165e85bf5d6b7bae01127520b155e6c4f287

Threat Level: Known bad

The file a4743f85829f12bab113bf304e4f2905_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:19

Reported

2024-04-03 19:22

Platform

win7-20240221-en

Max time kernel

142s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2936 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
PID 2744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"

C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 508

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst84DA.tmp\misckvq.dll

MD5 71455ae5bee5d2dc77c1c86f0ff4a9aa
SHA1 30aba60427c693656d8d76cbdf257c033284f1c2
SHA256 10d7db2ec1fa897b98373589c629e14b938d81a952bc33c32d60aea1522f86d6
SHA512 a4e0a98ef162bf28059af238b25f696d1dd0e07cc30337968f15ebb802ecd487c9f4ada2ee441052a24e66ba4f9dbf6beb307e9a7f65495156270468fb2c699a

memory/2744-8-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2744-10-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2744-11-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2744-12-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2744-13-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2744-14-0x0000000002090000-0x00000000020D0000-memory.dmp

memory/2744-15-0x0000000002090000-0x00000000020D0000-memory.dmp

memory/2656-16-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/2744-18-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2744-19-0x0000000002090000-0x00000000020D0000-memory.dmp

memory/2656-22-0x0000000001E90000-0x0000000001E91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:19

Reported

2024-04-03 19:22

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"

C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 972

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk4651.tmp\misckvq.dll

MD5 71455ae5bee5d2dc77c1c86f0ff4a9aa
SHA1 30aba60427c693656d8d76cbdf257c033284f1c2
SHA256 10d7db2ec1fa897b98373589c629e14b938d81a952bc33c32d60aea1522f86d6
SHA512 a4e0a98ef162bf28059af238b25f696d1dd0e07cc30337968f15ebb802ecd487c9f4ada2ee441052a24e66ba4f9dbf6beb307e9a7f65495156270468fb2c699a

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-03 19:19

Reported

2024-04-03 19:22

Platform

win7-20240221-en

Max time kernel

122s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 248

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-03 19:19

Reported

2024-04-03 19:22

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 676

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A