Analysis

  • max time kernel
    122s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 19:38

General

  • Target

    e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe

  • Size

    489KB

  • MD5

    e5b3fc8e7c159b836046b6f657179929

  • SHA1

    90a8ebb6a71a7b8462cfbf5ff7605bc66297c48e

  • SHA256

    73cefc887f0ab4d9e0269c527c1687e360493926bfb7ccc3a876b4bb19832b85

  • SHA512

    977613bb7d32ea91aaf8c2303ae25dbd2ea9ba18b5ceca68a014af2be261efc3330a6b48a24c7fbbd2f22a602d59af00abf81de37b613971d9f89d6902be3e01

  • SSDEEP

    6144:pqpaDiyDFrvC2uEXmoKpiTQfmlrnKdjkt1V3e+VEdC0cRm7+7nT3wJHWv2EvkWbm:pTDBNKEvKMnKdQPVxEdFcs1Ji7bTG

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.bafaqroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bs%K^dS2

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • AgentTesla payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe
      2⤵
        PID:1080
      • C:\Users\Admin\AppData\Local\Temp\e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\e5b3fc8e7c159b836046b6f657179929_JaffaCakes118.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1088

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1088-2399-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

    • memory/1088-2403-0x0000000001170000-0x00000000011B0000-memory.dmp

      Filesize

      256KB

    • memory/1088-2402-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

    • memory/1088-2401-0x0000000001170000-0x00000000011B0000-memory.dmp

      Filesize

      256KB

    • memory/1088-2398-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2820-37-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-45-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-7-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-9-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-11-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-13-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-15-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-17-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-19-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-23-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-21-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-25-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-29-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-27-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-31-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-33-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-35-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-0-0x00000000011B0000-0x0000000001230000-memory.dmp

      Filesize

      512KB

    • memory/2820-39-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-41-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-43-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-6-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-47-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-49-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-53-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-55-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-57-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-59-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-61-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-63-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-65-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-67-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-69-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-51-0x0000000005020000-0x0000000005092000-memory.dmp

      Filesize

      456KB

    • memory/2820-512-0x00000000004E0000-0x0000000000520000-memory.dmp

      Filesize

      256KB

    • memory/2820-5-0x0000000005020000-0x0000000005098000-memory.dmp

      Filesize

      480KB

    • memory/2820-4-0x0000000004D40000-0x0000000004D9E000-memory.dmp

      Filesize

      376KB

    • memory/2820-2400-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

    • memory/2820-3-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

    • memory/2820-2-0x00000000004E0000-0x0000000000520000-memory.dmp

      Filesize

      256KB

    • memory/2820-1-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB