General

  • Target

    fa1e2a719a6f5cc1413d50ffccc3fa24_JaffaCakes118

  • Size

    640KB

  • Sample

    240419-mnxnyshf8x

  • MD5

    fa1e2a719a6f5cc1413d50ffccc3fa24

  • SHA1

    90d5273a882afc7d19648a0dcb488fa885a2502f

  • SHA256

    cf080548e1b18824c38e9def91a70ef2e77114ee9f339d8154ef4f77ae22bbba

  • SHA512

    6914a0fd700ae0c49e41f36a1744b968152281be7bfc92ce8f7cefeefd201b7da6a9902853d482267521729d6bf5e858ff22b61fe79a87444fe0e155b72c5571

  • SSDEEP

    12288:4s/vsMUHlpGQfhkZM9B8GxaUYigyYNH4vbUFlc:4sH4lpGekMRlYJR4vKe

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pss.net.pk
  • Port:
    587
  • Username:
    info@pss.net.pk
  • Password:
    AnisAhmed1980
  • Email To:
    jamesadnyy@yandex.com

Targets

    • Target

      873762-pdf.exe

    • Size

      924KB

    • MD5

      174a3ab2bbaa4e1ab786b9c98c7b3639

    • SHA1

      d0b3bccc1c855b1c59ed75c5c7d826bf168a85fb

    • SHA256

      0c81f1f9ab9a50ca7a8076384b1b46cc484f67cb0f8da081c56c9da42da4055d

    • SHA512

      51e8a01a016fa97968c814931e0ab6820e0847cbb1f2f018ceb3d25c52344ebfc47842e16c576cb15629d37e54d06e2f7ee9fd2578e7de4737ac7b9d559169a5

    • SSDEEP

      12288:GwcsGI/cg1RbcvPiaeS905fcyY+P45no+7e9o3CZq2CJSUD7pC4BLeom38/vk2E3:GmRbVcyYt1oKe9PtuSUBCerlE

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Tasks