Analysis Overview
SHA256
3d1d3c576e778ffa4f35de33693c32e6802f2a362ec953efaa2ed6c02c7052e5
Threat Level: Known bad
The file a6e823a5b373c89d5b5a0dc239b56bd9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads WinSCP keys stored on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:33
Reported
2024-06-13 22:35
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1944 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe
"C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pQeazPavHGaD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp"
C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe
"{path}"
Network
Files
memory/1944-0-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/1944-1-0x0000000000020000-0x000000000009C000-memory.dmp
memory/1944-2-0x0000000000470000-0x000000000047A000-memory.dmp
memory/1944-3-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/1944-4-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1944-5-0x0000000001F80000-0x0000000001FD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp
| MD5 | cde6790794e7df4d48945c896beaab08 |
| SHA1 | 76a13928569774632b6016fcbdf3af1c81eab3a8 |
| SHA256 | f061496d7b39114f5f8b1c907b92da979fd0fba0625f60eecb719a4692a18d42 |
| SHA512 | 09eb68b04a77bebc67ecb473272980c6b8583d879009b39be11121f7281f820e8f83dd7a5da6fc64aa2bbd422132a9314dae22d547de570b0eadc6a4d04cf88b |
memory/2672-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2672-19-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2672-17-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2672-15-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2672-9-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2672-12-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2672-11-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2672-10-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1944-20-0x00000000748D0000-0x0000000074FBE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:33
Reported
2024-06-13 22:35
Platform
win10v2004-20240508-en
Max time kernel
100s
Max time network
84s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3528 set thread context of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe
"C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pQeazPavHGaD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7B0.tmp"
C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\1nkjH2Sua25O2db.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | triathlon-batteries-uk.com | udp |
Files
memory/3528-0-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp
memory/3528-1-0x0000000000190000-0x000000000020C000-memory.dmp
memory/3528-2-0x0000000005000000-0x00000000055A4000-memory.dmp
memory/3528-3-0x0000000004AF0000-0x0000000004B82000-memory.dmp
memory/3528-4-0x0000000004C30000-0x0000000004CCC000-memory.dmp
memory/3528-5-0x0000000004A50000-0x0000000004A5A000-memory.dmp
memory/3528-6-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp
memory/3528-7-0x0000000005890000-0x00000000058E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE7B0.tmp
| MD5 | 2bbde5fa9c70e9577c2225f0143c27bc |
| SHA1 | 1164a356af21c78f4c4c11911308fd9e31617131 |
| SHA256 | 03e1e0acc184ac69b78dffea6745eeb61857a7fca1ab26df942a31c921ab3e4a |
| SHA512 | bde40a9de993ee50f1f9ea49696beff674e0eb2574273fd9c990d3cd0ff9859189a2fa003e58adc29c107bc74fd3941ea25c0bf83e7e7389aa69469949e55170 |
memory/2280-11-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1nkjH2Sua25O2db.exe.log
| MD5 | 76ffb2f33cb32ade8fc862a67599e9d8 |
| SHA1 | 920cc4ab75b36d2f9f6e979b74db568973c49130 |
| SHA256 | f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310 |
| SHA512 | f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e |
memory/3528-14-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp
memory/2280-15-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp
memory/2280-16-0x0000000005770000-0x0000000005788000-memory.dmp
memory/2280-17-0x00000000059B0000-0x0000000005A16000-memory.dmp
memory/2280-18-0x0000000006AA0000-0x0000000006AF0000-memory.dmp
memory/2280-19-0x0000000007130000-0x000000000713A000-memory.dmp
memory/2280-20-0x00007FFC28E70000-0x00007FFC29065000-memory.dmp