Malware Analysis Report

2025-01-19 05:03

Sample ID 240605-jgj8hahg8x
Target 977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118
SHA256 b1d6e5a8a00ec4381ba324de028255abcd56c7b297cb4c1c1e9795d16b954be1
Tags
agenttesla collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1d6e5a8a00ec4381ba324de028255abcd56c7b297cb4c1c1e9795d16b954be1

Threat Level: Known bad

The file 977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

outlook_office_path

outlook_win_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 07:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 07:38

Reported

2024-06-05 07:40

Platform

win7-20240419-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 1960 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yjZtcnDvVoxiY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE2F.tmp"

C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe

"{path}"

Network

N/A

Files

memory/1960-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

memory/1960-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/1960-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/1960-3-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/1960-4-0x00000000746A0000-0x0000000074C4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE2F.tmp

MD5 4ec2edce16b9ec40e5eee6680fccb557
SHA1 266fab349460a4c92622525408efad966c682f0c
SHA256 ec19950318b990333afb18effdcafe388a4a0f955a67d3f480a1f5ba1f8d9c8c
SHA512 9beb545cd7df8ffd503ae76e19db77f280cf85bfa6010e590641163f484bff4d63fed4ff803f8aacaff574065d58ba91dee8010cbec9250264596be3666f6288

memory/2496-8-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2496-21-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2496-19-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2496-17-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2496-22-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2496-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2496-13-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2496-11-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2496-10-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1960-23-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/2496-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 07:38

Reported

2024-06-05 07:40

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe
PID 4508 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yjZtcnDvVoxiY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp"

C:\Users\Admin\AppData\Local\Temp\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mail.alandalustobacco.com udp
DE 148.251.40.138:587 mail.alandalustobacco.com tcp
US 8.8.8.8:53 138.40.251.148.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4508-0-0x00000000749B2000-0x00000000749B3000-memory.dmp

memory/4508-1-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/4508-2-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/4508-3-0x00000000749B2000-0x00000000749B3000-memory.dmp

memory/4508-4-0x00000000749B0000-0x0000000074F61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp

MD5 f984cf8e5b27f1b273e177840b4bf724
SHA1 6adc7cac1962d12329e2d1f40cf514c782609a65
SHA256 d92d99e77d790225577065a27f7ae29232c375a1bed8100fdad3f5da3b420efd
SHA512 176d083ca29622515f01cb28bd6ae675e51b671088184678066f5c55d95d4c7328fc88758699099fad9b2b0a3387d5307f55a37e04a5755a436faa636cd3d1e6

memory/2568-8-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\977f9e0b8f29cfb5e26c703efe5c4122_JaffaCakes118.exe.log

MD5 cb76b18ebed3a9f05a14aed43d35fba6
SHA1 836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA256 8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA512 7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

memory/4508-11-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/2568-12-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/2568-13-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/2568-14-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/2568-15-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/2568-16-0x00000000749B0000-0x0000000074F61000-memory.dmp

memory/2568-17-0x00000000749B0000-0x0000000074F61000-memory.dmp