Analysis Overview
SHA256
19512e9e5b4d093d9f1677753939165e85bf5d6b7bae01127520b155e6c4f287
Threat Level: Known bad
The file a4743f85829f12bab113bf304e4f2905_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 19:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 19:19
Reported
2024-04-03 19:22
Platform
win7-20240221-en
Max time kernel
142s
Max time network
125s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2936 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"
C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 508
Network
Files
\Users\Admin\AppData\Local\Temp\nst84DA.tmp\misckvq.dll
| MD5 | 71455ae5bee5d2dc77c1c86f0ff4a9aa |
| SHA1 | 30aba60427c693656d8d76cbdf257c033284f1c2 |
| SHA256 | 10d7db2ec1fa897b98373589c629e14b938d81a952bc33c32d60aea1522f86d6 |
| SHA512 | a4e0a98ef162bf28059af238b25f696d1dd0e07cc30337968f15ebb802ecd487c9f4ada2ee441052a24e66ba4f9dbf6beb307e9a7f65495156270468fb2c699a |
memory/2744-8-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2744-10-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2744-11-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2744-12-0x0000000074880000-0x0000000074E2B000-memory.dmp
memory/2744-13-0x0000000074880000-0x0000000074E2B000-memory.dmp
memory/2744-14-0x0000000002090000-0x00000000020D0000-memory.dmp
memory/2744-15-0x0000000002090000-0x00000000020D0000-memory.dmp
memory/2656-16-0x0000000001E90000-0x0000000001E91000-memory.dmp
memory/2744-18-0x0000000074880000-0x0000000074E2B000-memory.dmp
memory/2744-19-0x0000000002090000-0x00000000020D0000-memory.dmp
memory/2656-22-0x0000000001E90000-0x0000000001E91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 19:19
Reported
2024-04-03 19:22
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4784 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe |
| PID 4784 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe |
| PID 4784 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe | C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"
C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order CTPO18542#.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 972
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk4651.tmp\misckvq.dll
| MD5 | 71455ae5bee5d2dc77c1c86f0ff4a9aa |
| SHA1 | 30aba60427c693656d8d76cbdf257c033284f1c2 |
| SHA256 | 10d7db2ec1fa897b98373589c629e14b938d81a952bc33c32d60aea1522f86d6 |
| SHA512 | a4e0a98ef162bf28059af238b25f696d1dd0e07cc30337968f15ebb802ecd487c9f4ada2ee441052a24e66ba4f9dbf6beb307e9a7f65495156270468fb2c699a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-03 19:19
Reported
2024-04-03 19:22
Platform
win7-20240221-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 248
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-03 19:19
Reported
2024-04-03 19:22
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3488 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3488 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\misckvq.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3276 -ip 3276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 676
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |