Analysis
-
max time kernel
166s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 14:21
Static task
static1
Behavioral task
behavioral1
Sample
eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe
-
Size
499KB
-
MD5
eb4412b32b90cbff3cff3a2762623f9c
-
SHA1
5071ad5d98932f0bc81584ce9500efe361166efd
-
SHA256
12c620e143987ad28fe072cdd8dfc5b0e2cde3492cae25168e13435463323d18
-
SHA512
016bcf96a4645cc25a31dd996f4c7021cf847498398cfe7c4761a7c4c34ff391b7fcd567ad032483d6f292d59945c41821536cfb75feccbd29e838c88cb6b0fd
-
SSDEEP
12288:ic4hbmOwD71tJha6QSGUsy7Se75DdWT7/:b8bmOKhtPUUbSW5DdG7
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.videoalliance.ru/ - Port:
21 - Username:
[email protected] - Password:
xq0~K^xsfq08
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1564-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
InstallUtil.exepid process 1564 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/1656-4-0x0000000005BF0000-0x0000000005C18000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exedescription pid process target process PID 1656 set thread context of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exeInstallUtil.exepid process 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe 1564 InstallUtil.exe 1564 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe Token: SeDebugPrivilege 1564 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exedescription pid process target process PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe PID 1656 wrote to memory of 1564 1656 eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159