General

  • Target

    ac5d728b6b3d733d23a422e400aa8fc0_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240615-blzjzstemh

  • MD5

    ac5d728b6b3d733d23a422e400aa8fc0

  • SHA1

    f8a815920096ebeb5079d20bd126fe1a8e99db9e

  • SHA256

    f675f9afcc24c1090a9ae0057f4197cf0b370725c9747489621c554499292317

  • SHA512

    1cce74930c6ca5d731964acbaa7a6f700b7f60004e16464dd8050d2021ee98554a945fb60a3ec28b91174d8eb307c65c58bf9ece6d1efdb2e5e889aaaa2fa18c

  • SSDEEP

    24576:su6Jx3O0c+JY5UZ+XC0kGso/WaudLwgK2tpBbga71WY:2I0c++OCvkGsUWauiY

Malware Config

Targets

    • Target

      ac5d728b6b3d733d23a422e400aa8fc0_JaffaCakes118

    • Size

      1.4MB

    • MD5

      ac5d728b6b3d733d23a422e400aa8fc0

    • SHA1

      f8a815920096ebeb5079d20bd126fe1a8e99db9e

    • SHA256

      f675f9afcc24c1090a9ae0057f4197cf0b370725c9747489621c554499292317

    • SHA512

      1cce74930c6ca5d731964acbaa7a6f700b7f60004e16464dd8050d2021ee98554a945fb60a3ec28b91174d8eb307c65c58bf9ece6d1efdb2e5e889aaaa2fa18c

    • SSDEEP

      24576:su6Jx3O0c+JY5UZ+XC0kGso/WaudLwgK2tpBbga71WY:2I0c++OCvkGsUWauiY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks