Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe
-
Size
739KB
-
MD5
5534d71175a8ddc713bd487ad3c4e4ab
-
SHA1
d2bf7ba7e59cef3c1b8556b44c9f1ad2845addf4
-
SHA256
4d6a4c556af5a4e4a05ca5aadb976af1f792bb509cd17cf26aa2ca3081317e3c
-
SHA512
4630b46d04dd8d305b7102b0207ea0210b3fb50400e9dfcd39eaaa711e9860ca041e13d04e7b9cbc67d28462aea6282ae5d55ba6f404cdfc5aa92ee034bb7730
-
SSDEEP
12288:Vqov2zv1grOWAOx/+jbY7GTj/YKU/pQ8mvNvbnayPu1N0xH9jsu:Vi2rOnO+jsiTzfU/pQ8cNToN0xdjs
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
QUecleanwx@22#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/2184-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2184-26-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2184-24-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2184-22-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2184-19-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2060 set thread context of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2184 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 2184 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2184 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2184 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2780 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 30 PID 2060 wrote to memory of 2780 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 30 PID 2060 wrote to memory of 2780 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 30 PID 2060 wrote to memory of 2780 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 30 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32 PID 2060 wrote to memory of 2184 2060 5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nqOncxA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9888.tmp"2⤵
- Creates scheduled task(s)
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5534d71175a8ddc713bd487ad3c4e4ab_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e9ed6cc5ef2658b8b8eda50f9783ee87
SHA196cd7521ffb2fda75f69e1d8c3633e6a91a93c83
SHA25623a160b97ce65b43881ad0a962b4ead8c112aee88148cfa0a818fbaf4e35e844
SHA512023fa49364d45f314947f1aa32bb1863ce7f2613a2dad7d2f886dcd678c9b8533b00c1e5b2358d3e11d09bc7fc49828b11221ceb260ba87d77823aee08c54b95