General

  • Target

    ac87ea1feb04a537ded074ed6decc498_JaffaCakes118

  • Size

    1001KB

  • Sample

    240615-cgwg7swaja

  • MD5

    ac87ea1feb04a537ded074ed6decc498

  • SHA1

    8b5c2bdc296f36edf81c22f64ae4370b5279e2c3

  • SHA256

    9b3a4e8995b4abd7596009d4d52e156b2d70600084c006d692e83578df3aee16

  • SHA512

    fdf2ef01ec8ad895b1569261890a0612fa1783f4bdcb3b9b60060681c177673e5741aedb0da7c34530dc001dd8e8bb7d8287e209c52ca15891b99b23134f08f1

  • SSDEEP

    12288:WDb7BqrErn/mxx7E6vMJaxKwWoFJm6y2o/Yc4/P2x1AFxUKyurILLcQAf0jRcD4H:WFBrny7d7eqq2Z324XIU5wcPrl+VKW

Malware Config

Targets

    • Target

      ac87ea1feb04a537ded074ed6decc498_JaffaCakes118

    • Size

      1001KB

    • MD5

      ac87ea1feb04a537ded074ed6decc498

    • SHA1

      8b5c2bdc296f36edf81c22f64ae4370b5279e2c3

    • SHA256

      9b3a4e8995b4abd7596009d4d52e156b2d70600084c006d692e83578df3aee16

    • SHA512

      fdf2ef01ec8ad895b1569261890a0612fa1783f4bdcb3b9b60060681c177673e5741aedb0da7c34530dc001dd8e8bb7d8287e209c52ca15891b99b23134f08f1

    • SSDEEP

      12288:WDb7BqrErn/mxx7E6vMJaxKwWoFJm6y2o/Yc4/P2x1AFxUKyurILLcQAf0jRcD4H:WFBrny7d7eqq2Z324XIU5wcPrl+VKW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks