Analysis Overview
SHA256
b6616b1c6c07ec1896a546d43a0e032c7c64407c19ae902ff7c7f0231bff6f46
Threat Level: Known bad
The file 999ca0e7913ab5e72f3d01ce7833b024_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
UPX packed file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
outlook_win_path
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 00:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 00:27
Reported
2024-06-06 00:31
Platform
win7-20240221-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
| PID 1964 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
| PID 1964 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
| PID 1964 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"
Network
Files
memory/1964-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1964-1-0x0000000002F90000-0x0000000002FA2000-memory.dmp
memory/1964-2-0x0000000002F90000-0x0000000002FA2000-memory.dmp
memory/1964-3-0x0000000001C80000-0x0000000001C81000-memory.dmp
memory/1964-5-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/1936-4-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-8-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-12-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-10-0x0000000000390000-0x00000000003CC000-memory.dmp
memory/1936-9-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-7-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-11-0x0000000000390000-0x00000000003CC000-memory.dmp
memory/1936-23-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-24-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1936-25-0x0000000000400000-0x0000000000484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 00:27
Reported
2024-06-06 00:31
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3752 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3752 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
| PID 3752 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
| PID 3752 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/3752-0-0x0000000002310000-0x0000000002311000-memory.dmp
memory/3752-2-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3752-3-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/3488-7-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-11-0x0000000000730000-0x000000000076C000-memory.dmp
memory/3488-12-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-10-0x0000000000730000-0x000000000076C000-memory.dmp
memory/3752-8-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3488-6-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-4-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3752-1-0x00000000023A0000-0x00000000023B2000-memory.dmp
memory/3488-9-0x0000000000400000-0x0000000000484000-memory.dmp
memory/3488-23-0x0000000000400000-0x0000000000484000-memory.dmp