Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps1
Resource
win10v2004-20240611-en
General
-
Target
a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps1
-
Size
2.5MB
-
MD5
a45093c46a998137b18e4ec60a7341da
-
SHA1
970747f951a674c58a12fffea58d06e78958b0be
-
SHA256
a3b029d42bd7d807c09240ae9002750c41f0e7e840ac97e7c069d3123510f098
-
SHA512
bd7f5313e64065db40a464468a7d658193cbcc27147e90eec3f2d49f71937a91e43a09734ef7e6b6f0509ff3704aa5622345e666dbb694282c5f72515a3b0122
-
SSDEEP
24576:iw2O9/TgwrSUhVPHahmorI0hnvUwLS4VaVKrYlKgsvcRhyG+ryWkLNwm7MCH5mpK:z95cwOI0ZhHRwllR6idC1pqr88oBY
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 12 IoCs
Processes:
resource yara_rule behavioral2/memory/4552-24-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-41-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-44-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-46-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-43-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-38-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-37-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-35-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-33-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-31-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-30-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla behavioral2/memory/4552-32-0x0000000000800000-0x0000000000890000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
vjcg.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diskraid.url vjcg.exe -
Executes dropped EXE 2 IoCs
Processes:
vjcg.exeNANO no startup.exepid process 2448 vjcg.exe 3016 NANO no startup.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Processes:
NANO no startup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NANO no startup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 checkip.amazonaws.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Public\vjcg.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vjcg.exedescription pid process target process PID 2448 set thread context of 4552 2448 vjcg.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exeRegSvcs.exeNANO no startup.exepid process 4792 powershell.exe 4792 powershell.exe 4552 RegSvcs.exe 4552 RegSvcs.exe 3016 NANO no startup.exe 3016 NANO no startup.exe 3016 NANO no startup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NANO no startup.exepid process 3016 NANO no startup.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegSvcs.exepid process 4552 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeRegSvcs.exeNANO no startup.exedescription pid process Token: SeDebugPrivilege 4792 powershell.exe Token: SeDebugPrivilege 4552 RegSvcs.exe Token: SeDebugPrivilege 3016 NANO no startup.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
vjcg.exepid process 2448 vjcg.exe 2448 vjcg.exe 2448 vjcg.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
vjcg.exepid process 2448 vjcg.exe 2448 vjcg.exe 2448 vjcg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 4552 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
powershell.exevjcg.exeRegSvcs.exedescription pid process target process PID 4792 wrote to memory of 2448 4792 powershell.exe vjcg.exe PID 4792 wrote to memory of 2448 4792 powershell.exe vjcg.exe PID 4792 wrote to memory of 2448 4792 powershell.exe vjcg.exe PID 2448 wrote to memory of 4552 2448 vjcg.exe RegSvcs.exe PID 2448 wrote to memory of 4552 2448 vjcg.exe RegSvcs.exe PID 2448 wrote to memory of 4552 2448 vjcg.exe RegSvcs.exe PID 2448 wrote to memory of 4552 2448 vjcg.exe RegSvcs.exe PID 2448 wrote to memory of 4552 2448 vjcg.exe RegSvcs.exe PID 4552 wrote to memory of 3016 4552 RegSvcs.exe NANO no startup.exe PID 4552 wrote to memory of 3016 4552 RegSvcs.exe NANO no startup.exe PID 4552 wrote to memory of 3016 4552 RegSvcs.exe NANO no startup.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Public\vjcg.exe"C:\Users\Public\vjcg.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4552 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NANO no startup.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NANO no startup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hht3mlqg.buk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NANO no startup.exeFilesize
202KB
MD5898055fa90ac8489dfe21df5002f4027
SHA1337b7d4c782d8bef058f4abc65936fe7199aa60b
SHA25682c18f8a811e1f42df938b60d9bd770fe691bd595b9f00275ae8c6a5070b31d7
SHA512fa9a07f720b9950ef00ad6f73426b63a1dd9c2ce020df2668c57d02faf00406849a855071becf078170fa49c1c97816eb93bbb8e393f675e3e78a196c1fbdbe9
-
C:\Users\Public\vjcg.exeFilesize
1.8MB
MD5e0c0de2b3f8eda6c1f7a1ab3bd29ce87
SHA1555e20c0382390f3a2e66e8ff3f7561499fc133c
SHA2566a8ef26a45a7de1490578ee4ba07f1057129c56989e58651e5e01bfe62e4296f
SHA512a489cf3e37e15f7776f554998e8bef83ad0582e251d136a38c5786676f2233f08cdaababbf33865cdde7d51e5da5ae1febe7fd4c865bdc98fa7c3768aecd9bca
-
memory/2448-23-0x0000000003500000-0x0000000003501000-memory.dmpFilesize
4KB
-
memory/4552-49-0x0000000005200000-0x0000000005292000-memory.dmpFilesize
584KB
-
memory/4552-37-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-66-0x0000000073790000-0x0000000073F40000-memory.dmpFilesize
7.7MB
-
memory/4552-65-0x000000007379E000-0x000000007379F000-memory.dmpFilesize
4KB
-
memory/4552-24-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-29-0x000000007379E000-0x000000007379F000-memory.dmpFilesize
4KB
-
memory/4552-41-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-44-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-46-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-43-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-47-0x00000000050C0000-0x000000000515C000-memory.dmpFilesize
624KB
-
memory/4552-48-0x0000000005710000-0x0000000005CB4000-memory.dmpFilesize
5.6MB
-
memory/4552-64-0x0000000006A50000-0x0000000006A5A000-memory.dmpFilesize
40KB
-
memory/4552-38-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-50-0x0000000005CC0000-0x0000000005CD8000-memory.dmpFilesize
96KB
-
memory/4552-62-0x0000000006AD0000-0x0000000006B20000-memory.dmpFilesize
320KB
-
memory/4552-51-0x0000000005E60000-0x0000000005EC6000-memory.dmpFilesize
408KB
-
memory/4552-35-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-33-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-31-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-30-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-32-0x0000000000800000-0x0000000000890000-memory.dmpFilesize
576KB
-
memory/4552-52-0x0000000073790000-0x0000000073F40000-memory.dmpFilesize
7.7MB
-
memory/4552-61-0x0000000006710000-0x000000000671A000-memory.dmpFilesize
40KB
-
memory/4792-1-0x0000025772F10000-0x0000025772F32000-memory.dmpFilesize
136KB
-
memory/4792-12-0x00007FFFA8220000-0x00007FFFA8CE1000-memory.dmpFilesize
10.8MB
-
memory/4792-0-0x00007FFFA8223000-0x00007FFFA8225000-memory.dmpFilesize
8KB
-
memory/4792-11-0x00007FFFA8220000-0x00007FFFA8CE1000-memory.dmpFilesize
10.8MB
-
memory/4792-19-0x00007FFFA8220000-0x00007FFFA8CE1000-memory.dmpFilesize
10.8MB