General

  • Target

    e5578d8189525e3b27ce4bbdddf67e1b_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240407-ts6kzsgh55

  • MD5

    e5578d8189525e3b27ce4bbdddf67e1b

  • SHA1

    9fc7e6de99ac5a3dd5e57a4471a8e1ce1c64d708

  • SHA256

    7100f855ef506197a7bb88083c84893a8fa1f6aad9c70740c19c20277681d582

  • SHA512

    8bf027bfdd6fd41be53a221792d1a6815979f2dc4f398946d86de9ba1755f326dc79ed32490694eed4eca7b355966378f16118c888bc49682c77a23e12a4e77e

  • SSDEEP

    24576:gr3kgtKj5jTNYgLAc+xiI5PXyz2aGfZSp:E8KGAcv6aE

Malware Config

Targets

    • Target

      e5578d8189525e3b27ce4bbdddf67e1b_JaffaCakes118

    • Size

      1.2MB

    • MD5

      e5578d8189525e3b27ce4bbdddf67e1b

    • SHA1

      9fc7e6de99ac5a3dd5e57a4471a8e1ce1c64d708

    • SHA256

      7100f855ef506197a7bb88083c84893a8fa1f6aad9c70740c19c20277681d582

    • SHA512

      8bf027bfdd6fd41be53a221792d1a6815979f2dc4f398946d86de9ba1755f326dc79ed32490694eed4eca7b355966378f16118c888bc49682c77a23e12a4e77e

    • SSDEEP

      24576:gr3kgtKj5jTNYgLAc+xiI5PXyz2aGfZSp:E8KGAcv6aE

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks