Malware Analysis Report

2024-11-15 08:30

Sample ID 240406-kq132sfd59
Target e07eff7ce4bb2af1d6b8c3c564b66b19_JaffaCakes118
SHA256 59f4b8d890618bc836dc9fd9bf4c40a1aa6dc7264d6dbbcd3964c3ff5f7e7231
Tags
agenttesla agilenet collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59f4b8d890618bc836dc9fd9bf4c40a1aa6dc7264d6dbbcd3964c3ff5f7e7231

Threat Level: Known bad

The file e07eff7ce4bb2af1d6b8c3c564b66b19_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet collection keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Reads WinSCP keys stored on the system

Obfuscated with Agile.Net obfuscator

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 08:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 08:49

Reported

2024-04-06 08:51

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
GB 2.23.92.203:443 www.bing.com tcp
DE 172.217.16.196:443 www.google.com tcp
GB 2.23.92.203:443 www.bing.com tcp

Files

memory/2756-0-0x0000000001200000-0x00000000012D4000-memory.dmp

memory/2756-1-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2756-2-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/2756-3-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2756-4-0x0000000004870000-0x00000000048B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 08:49

Reported

2024-04-06 08:51

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3340 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"

C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
GB 2.23.92.203:443 www.bing.com tcp
US 8.8.8.8:53 196.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 203.92.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3340-0-0x0000000000600000-0x00000000006D4000-memory.dmp

memory/3340-1-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3340-2-0x00000000050F0000-0x000000000518C000-memory.dmp

memory/3340-3-0x00000000057A0000-0x0000000005D44000-memory.dmp

memory/3340-4-0x00000000051F0000-0x0000000005282000-memory.dmp

memory/3340-5-0x0000000005290000-0x00000000055E4000-memory.dmp

memory/3340-6-0x0000000005720000-0x0000000005730000-memory.dmp

memory/3340-7-0x0000000005770000-0x0000000005798000-memory.dmp

memory/3340-8-0x0000000006950000-0x00000000069B6000-memory.dmp

memory/3340-9-0x0000000006920000-0x0000000006942000-memory.dmp

memory/3340-10-0x0000000005720000-0x0000000005730000-memory.dmp

memory/3340-11-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3340-12-0x0000000005720000-0x0000000005730000-memory.dmp

memory/3340-13-0x00000000073E0000-0x00000000073F4000-memory.dmp

memory/3340-14-0x0000000009A00000-0x0000000009A06000-memory.dmp

memory/3988-15-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Document_BT24PDF.exe.log

MD5 285b29c5996aba555085ba399ff77e20
SHA1 8883f82fda1392fdb4e69a5bd5eee8ffdfc21af1
SHA256 496fe895cbf117cdad4087accd11c60e3dcd682c579d954e8d69429fb2b613e1
SHA512 740f183b3ba5347e2b4860260f3d34cab6e2d509dfa5b2ba190a6c46650d57cdc8ab4c5535f4b29f09fc9c607bdea4b0ba49b6d3e6332b094b24c7ba2e18357a

memory/3988-18-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3340-19-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3988-20-0x0000000005B70000-0x0000000005B88000-memory.dmp

memory/3988-21-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/3988-22-0x0000000005630000-0x0000000005640000-memory.dmp

memory/3988-23-0x0000000005510000-0x0000000005560000-memory.dmp

memory/3988-24-0x0000000006B30000-0x0000000006B3A000-memory.dmp