Malware Analysis Report

2025-01-19 05:01

Sample ID 240606-ar8t6sde97
Target 999ca0e7913ab5e72f3d01ce7833b024_JaffaCakes118
SHA256 b6616b1c6c07ec1896a546d43a0e032c7c64407c19ae902ff7c7f0231bff6f46
Tags
agenttesla collection keylogger spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6616b1c6c07ec1896a546d43a0e032c7c64407c19ae902ff7c7f0231bff6f46

Threat Level: Known bad

The file 999ca0e7913ab5e72f3d01ce7833b024_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection keylogger spyware stealer trojan upx

AgentTesla

AgentTesla payload

UPX packed file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 00:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 00:27

Reported

2024-06-06 00:31

Platform

win7-20240221-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1964 set thread context of 1936 N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"

Network

N/A

Files

memory/1964-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1964-1-0x0000000002F90000-0x0000000002FA2000-memory.dmp

memory/1964-2-0x0000000002F90000-0x0000000002FA2000-memory.dmp

memory/1964-3-0x0000000001C80000-0x0000000001C81000-memory.dmp

memory/1964-5-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1936-4-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-8-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-12-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-10-0x0000000000390000-0x00000000003CC000-memory.dmp

memory/1936-9-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-7-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-11-0x0000000000390000-0x00000000003CC000-memory.dmp

memory/1936-23-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-24-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1936-25-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 00:27

Reported

2024-06-06 00:31

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3752 set thread context of 3488 N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/3752-0-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3752-2-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3752-3-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/3488-7-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3488-11-0x0000000000730000-0x000000000076C000-memory.dmp

memory/3488-12-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3488-10-0x0000000000730000-0x000000000076C000-memory.dmp

memory/3752-8-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3488-6-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3488-4-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3752-1-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3488-9-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3488-23-0x0000000000400000-0x0000000000484000-memory.dmp