General

  • Target

    90cbfa46539ce2af4b7b412269c5d5eb_JaffaCakes118

  • Size

    507KB

  • Sample

    240603-gz3rfsfe78

  • MD5

    90cbfa46539ce2af4b7b412269c5d5eb

  • SHA1

    0310bde0a978374bd424bffd70a343e0dcc5b86d

  • SHA256

    4b4395f5e2e7921f0b570a99b673000e29f44f942e94a2f4207642dda50aff12

  • SHA512

    16479d660cef0205e5f01105f36da2357acc18c914fee1dbab2ca7f5e704a8733de35d3e2ee972f7265ff1909baacb960f0cecb24fdc97a86712d7bb28fdef64

  • SSDEEP

    12288:pf6FVkT3UA6HmqZOPbizXmi1Ka47hOJC6/fa:EFKTmb4K91KlhY

Malware Config

Targets

    • Target

      90cbfa46539ce2af4b7b412269c5d5eb_JaffaCakes118

    • Size

      507KB

    • MD5

      90cbfa46539ce2af4b7b412269c5d5eb

    • SHA1

      0310bde0a978374bd424bffd70a343e0dcc5b86d

    • SHA256

      4b4395f5e2e7921f0b570a99b673000e29f44f942e94a2f4207642dda50aff12

    • SHA512

      16479d660cef0205e5f01105f36da2357acc18c914fee1dbab2ca7f5e704a8733de35d3e2ee972f7265ff1909baacb960f0cecb24fdc97a86712d7bb28fdef64

    • SSDEEP

      12288:pf6FVkT3UA6HmqZOPbizXmi1Ka47hOJC6/fa:EFKTmb4K91KlhY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks