Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 10:46

General

  • Target

    97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe

  • Size

    660KB

  • MD5

    97ea1072cc7564dca5cd5cdc06f46477

  • SHA1

    9fc2ef97d8cbfc3bce5bf761bef1b2bea3559dbf

  • SHA256

    830c00fa954d70ef4fb399992385cbc21cd3ccfaf937ecb796c1c736b8a13556

  • SHA512

    10c06d9370ea00cc2de10141e1c5a7d50d1ee7451bcac5fece84f3465d2305cc6efc99383a7b4068bcbc7b21c8880a478996193a0e0cba0c5bb55ed08672c454

  • SSDEEP

    12288:9crNS33L10QdrXP/X+tGfn/NWQ9nad+hkSpjHqARv+5JkFfwcJaZY81X:ANA3R5drXPrf/B5HzRv+rkCPZF1X

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\97ea1072cc7564dca5cd5cdc06f46477_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\43DF.tmp\43E0.tmp\43E1.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
          4⤵
            PID:4008
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
            4⤵
              PID:1100
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
              4⤵
                PID:512
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:456
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:2560
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:4992
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1972
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:2904
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                4⤵
                  PID:1444
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:3316
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                    4⤵
                      PID:1436
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                      4⤵
                        PID:536
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sample.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sample.exe"
                    2⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    • outlook_office_path
                    • outlook_win_path
                    PID:4940

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\43DF.tmp\43E0.tmp\43E1.bat

                  Filesize

                  1KB

                  MD5

                  49910cb3f37fd8841e0d99a5d4c3a5e3

                  SHA1

                  da9a68b48304fe8b5ba377bc7ef06a94c649c525

                  SHA256

                  203995fcd8cd29dfcb929f06676c258a8b35a62719863a6dfec4aa1b0f5a0a90

                  SHA512

                  03281eb739041cdeffc1eab96c12d3e7d20ade1ab588af3cb7e56c1d7f83ce668290a36553f5f0a3aa119a561d8e5bf4e7ad87549bebc245d28b68c4db8f4ee9

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisble.exe

                  Filesize

                  90KB

                  MD5

                  6fe5c9b4c64e330be1f56a263fbfa620

                  SHA1

                  764633b8102846fcbc83850178ec58ece2fa0ed0

                  SHA256

                  904989b89c9185917059924a585ce9c7f9d18e928bc429c2ea93d058ac73396f

                  SHA512

                  c2204ee708a7088c7262042d099e3942ea8c453df0c2615ae72d9f2f5b2e871c6f0fdae50459df16e3d5c103449693aac716f4a2a83408771b5c476e2fec65e4

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sample.exe

                  Filesize

                  284KB

                  MD5

                  b247c1e7766568af825a09eb81c55936

                  SHA1

                  946d40d213944a4042328f79089f09069f027c99

                  SHA256

                  14d7bdb0ce532036ac9830842c936d22c4cac6bd3972f7dc52550bda4fd9dd64

                  SHA512

                  1b469808f863741811d195c55fd30acda1830dc0ffc89c0037bc5b63581391608795b6ed9708361286c65fae40ea31bf71643e2ed3f97aec44661b82ebb7c481