Analysis Overview
SHA256
59f4b8d890618bc836dc9fd9bf4c40a1aa6dc7264d6dbbcd3964c3ff5f7e7231
Threat Level: Known bad
The file e07eff7ce4bb2af1d6b8c3c564b66b19_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Reads WinSCP keys stored on the system
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 08:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 08:49
Reported
2024-04-06 08:51
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| GB | 2.23.92.203:443 | www.bing.com | tcp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| GB | 2.23.92.203:443 | www.bing.com | tcp |
Files
memory/2756-0-0x0000000001200000-0x00000000012D4000-memory.dmp
memory/2756-1-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2756-2-0x0000000004870000-0x00000000048B0000-memory.dmp
memory/2756-3-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2756-4-0x0000000004870000-0x00000000048B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 08:49
Reported
2024-04-06 08:51
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3340 set thread context of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"
C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| GB | 2.23.92.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.92.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/3340-0-0x0000000000600000-0x00000000006D4000-memory.dmp
memory/3340-1-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3340-2-0x00000000050F0000-0x000000000518C000-memory.dmp
memory/3340-3-0x00000000057A0000-0x0000000005D44000-memory.dmp
memory/3340-4-0x00000000051F0000-0x0000000005282000-memory.dmp
memory/3340-5-0x0000000005290000-0x00000000055E4000-memory.dmp
memory/3340-6-0x0000000005720000-0x0000000005730000-memory.dmp
memory/3340-7-0x0000000005770000-0x0000000005798000-memory.dmp
memory/3340-8-0x0000000006950000-0x00000000069B6000-memory.dmp
memory/3340-9-0x0000000006920000-0x0000000006942000-memory.dmp
memory/3340-10-0x0000000005720000-0x0000000005730000-memory.dmp
memory/3340-11-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3340-12-0x0000000005720000-0x0000000005730000-memory.dmp
memory/3340-13-0x00000000073E0000-0x00000000073F4000-memory.dmp
memory/3340-14-0x0000000009A00000-0x0000000009A06000-memory.dmp
memory/3988-15-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Document_BT24PDF.exe.log
| MD5 | 285b29c5996aba555085ba399ff77e20 |
| SHA1 | 8883f82fda1392fdb4e69a5bd5eee8ffdfc21af1 |
| SHA256 | 496fe895cbf117cdad4087accd11c60e3dcd682c579d954e8d69429fb2b613e1 |
| SHA512 | 740f183b3ba5347e2b4860260f3d34cab6e2d509dfa5b2ba190a6c46650d57cdc8ab4c5535f4b29f09fc9c607bdea4b0ba49b6d3e6332b094b24c7ba2e18357a |
memory/3988-18-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3340-19-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3988-20-0x0000000005B70000-0x0000000005B88000-memory.dmp
memory/3988-21-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/3988-22-0x0000000005630000-0x0000000005640000-memory.dmp
memory/3988-23-0x0000000005510000-0x0000000005560000-memory.dmp
memory/3988-24-0x0000000006B30000-0x0000000006B3A000-memory.dmp