General

  • Target

    68c3a6b0643e678bd6cb7da077aa9b92_JaffaCakes118

  • Size

    449KB

  • Sample

    240522-1s4jysac4y

  • MD5

    68c3a6b0643e678bd6cb7da077aa9b92

  • SHA1

    18af0447c7091b96557d760ac33f9d2321769c60

  • SHA256

    84a432df1bac586156c07274b7c85fbb88f491d26769175c049f93d91b27bce2

  • SHA512

    77c2712d1b6be4bee7776fd70d4b83fe6dc900201b2c4d336a76ea0b65f7f4d490b03319eed5c6f01e298ef24ca31c047c7da473f9f0177ef6bbf89bc8e7d278

  • SSDEEP

    12288:FmHkos18tXvpTO42OBExwIdru/KWOjNE9YLMJ:FwdnHxRWduZOjNFoJ

Malware Config

Targets

    • Target

      TT WIRE PAYMENT.exe

    • Size

      461KB

    • MD5

      e7ad677d44d7652fe49e71095e2d9811

    • SHA1

      5ff65ad254c2d66fd1c616ce2de79bfcbb9c0d75

    • SHA256

      d46fdddd02a815cf2289ab5ac60007d50e846934dff9e2e4ef21059f4d270c8b

    • SHA512

      5eb458dc773ffbf65cf99733803acd6af9e7be959a7b6f2d25c418c76589b0a5204ecebff28b053567cfb22081948c1af41d68909392a76001d0f8f5545c90ff

    • SSDEEP

      12288:V73bk0H7QSv4QipraiOoiKkdLppYHQ/DQxTevD7/e:XHEm43praOmdLpKQ/DXDL

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks