General

  • Target

    783ad86b833161eb9575bba70db75d35_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240527-hfg63sbc8w

  • MD5

    783ad86b833161eb9575bba70db75d35

  • SHA1

    b1127e07dad448e80283db5d83ae5a8c3f1f09ad

  • SHA256

    9ae747d8f3cef1d8b365a20227fbb6cd97c4896f6410521d599b9fce3f3514a2

  • SHA512

    bdc8827b06fbd43ab7066960ca72c9f2a9e246e13835fc25cf7e9f15ac140d4f4c92acb16ffa6cc514eaccdc8b92989c1c0adde5ed4df18c79f2e6a758ca5bbf

  • SSDEEP

    49152:Gu0c++OCvkGs9Fax+dMdxIj37+LIRrWY:JB3vkJ954CLJRC

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.jamaltradingco.com
  • Port:
    587
  • Username:
    hassannabaa@jamaltradingco.com
  • Password:
    1960hm3

Targets

    • Target

      783ad86b833161eb9575bba70db75d35_JaffaCakes118

    • Size

      1.6MB

    • MD5

      783ad86b833161eb9575bba70db75d35

    • SHA1

      b1127e07dad448e80283db5d83ae5a8c3f1f09ad

    • SHA256

      9ae747d8f3cef1d8b365a20227fbb6cd97c4896f6410521d599b9fce3f3514a2

    • SHA512

      bdc8827b06fbd43ab7066960ca72c9f2a9e246e13835fc25cf7e9f15ac140d4f4c92acb16ffa6cc514eaccdc8b92989c1c0adde5ed4df18c79f2e6a758ca5bbf

    • SSDEEP

      49152:Gu0c++OCvkGs9Fax+dMdxIj37+LIRrWY:JB3vkJ954CLJRC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks