General

  • Target

    b86b31be2021cf44db48e840e592df4a_JaffaCakes118

  • Size

    452KB

  • Sample

    240617-nsd8vayfmc

  • MD5

    b86b31be2021cf44db48e840e592df4a

  • SHA1

    72ac05728de00f6f7ab8afe767cfa1b027ee29b6

  • SHA256

    41f0fd82d49d076b8a0ddc92cf20ca2088c26d5c7c271ef21354b55d9434fa80

  • SHA512

    c6a0cb1bf02b2a65003674ddc32a02064ec013e25a31cc0aaf759a67bb47eb5542cef3b104a59f168d224b05024236d42bf7ffa454c604286b063bf6d9b00c59

  • SSDEEP

    12288:2p09U6DlxuRgMyBsiFJY6kHVSQAgvD3W1vsGERwh4:2aC65ERgMgsyJzCVZDG1vsGEOu

Malware Config

Targets

    • Target

      Item list.exe

    • Size

      824KB

    • MD5

      4ab37170a0891f9679ec726e106436f8

    • SHA1

      6b47daea0961a178c46856572fe85990334977c2

    • SHA256

      c50e9e99a365c6770569ca96ac2482b3bd82f946d41946e836a010ca429a7a4d

    • SHA512

      51bd33190f5b3b0eacbdfa61f90c21e62e9b168ece5f88504eb8acc6a71c469a824f59fb7ac612d16c4c9f1a5df88ae432989adb927efe7f003dfc62559c7234

    • SSDEEP

      12288:AY2SRgOu9uO2dm4rqoXa3p11fSxNXie7nG1nBsrwE9t/3a2pMsI4d:AxSJvObTV370xJaBqwC3lMkd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks