Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 04:49
Behavioral task
behavioral1
Sample
1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
-
Size
659KB
-
MD5
1188574f43ab4949dbc23b2b0c358c64
-
SHA1
71fccbdd47f6285899cf45e0ba5d532490caa8ba
-
SHA256
0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c
-
SHA512
93cf09dd8efbcbb353d68f0b049fca2df8f52c13a23847de24049680dcc5bd46185870db098d2c5a283a1b4f4d2a7165a3f4304c2f77447b8bb34eff8a24c723
-
SSDEEP
6144:2NZuc+lNVaQsebRFxlh9jwrp5aTvAgT4RS3eATXModewM9O7vGmcqebCa3ems9t:2j+paxO8rSTmk3eA79s9yebCm
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-1-0x00000000002F0000-0x000000000039C000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\System64 family_agenttesla -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1676-2-0x0000000000210000-0x0000000000226000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System64 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\System64" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exepowershell.exepid process 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe 1800 powershell.exe 1800 powershell.exe 1800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exepowershell.exedescription pid process Token: SeDebugPrivilege 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 1032 AcroRd32.exe 1032 AcroRd32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.execmd.exepowershell.exerundll32.exedescription pid process target process PID 1676 wrote to memory of 2696 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe cmd.exe PID 1676 wrote to memory of 2696 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe cmd.exe PID 1676 wrote to memory of 2696 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe cmd.exe PID 1676 wrote to memory of 2696 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe cmd.exe PID 2696 wrote to memory of 2556 2696 cmd.exe reg.exe PID 2696 wrote to memory of 2556 2696 cmd.exe reg.exe PID 2696 wrote to memory of 2556 2696 cmd.exe reg.exe PID 2696 wrote to memory of 2556 2696 cmd.exe reg.exe PID 1676 wrote to memory of 1800 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe powershell.exe PID 1676 wrote to memory of 1800 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe powershell.exe PID 1676 wrote to memory of 1800 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe powershell.exe PID 1676 wrote to memory of 1800 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe powershell.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 1800 wrote to memory of 2832 1800 powershell.exe rundll32.exe PID 2832 wrote to memory of 1032 2832 rundll32.exe AcroRd32.exe PID 2832 wrote to memory of 1032 2832 rundll32.exe AcroRd32.exe PID 2832 wrote to memory of 1032 2832 rundll32.exe AcroRd32.exe PID 2832 wrote to memory of 1032 2832 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v System64 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\System64"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v System64 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\System64"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\System642⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\System643⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\System64"4⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\System64Filesize
659KB
MD51188574f43ab4949dbc23b2b0c358c64
SHA171fccbdd47f6285899cf45e0ba5d532490caa8ba
SHA2560a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c
SHA51293cf09dd8efbcbb353d68f0b049fca2df8f52c13a23847de24049680dcc5bd46185870db098d2c5a283a1b4f4d2a7165a3f4304c2f77447b8bb34eff8a24c723
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5b3b622f33b62976b2d43593d57622079
SHA1b2dfa920721ea5d0ffd773bc283b2880349a0db9
SHA256accef3c7115a55eb7232e406fedd4a01073f211f6c2dac58e859480c1c1adbd3
SHA5123ab83ab88155455aee4d432533fe78a3d3facc6e322b4f08ff0c7476d79dbf2cfae959fa78d59fa53c98a541f9230e2327261d15e0625d4fbfba1921850eb23d
-
memory/1676-0-0x00000000743DE000-0x00000000743DF000-memory.dmpFilesize
4KB
-
memory/1676-1-0x00000000002F0000-0x000000000039C000-memory.dmpFilesize
688KB
-
memory/1676-2-0x0000000000210000-0x0000000000226000-memory.dmpFilesize
88KB
-
memory/1676-3-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/1676-4-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB
-
memory/1676-5-0x00000000743DE000-0x00000000743DF000-memory.dmpFilesize
4KB
-
memory/1676-6-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB
-
memory/1676-7-0x0000000000490000-0x0000000000498000-memory.dmpFilesize
32KB
-
memory/1676-9-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB