General
-
Target
b86b4604ed6bc8380270cd7112cd32db_JaffaCakes118
-
Size
631KB
-
Sample
240617-nsgnzatajl
-
MD5
b86b4604ed6bc8380270cd7112cd32db
-
SHA1
7bbe4e8a733aa0d0964aed6b41189caaab37af18
-
SHA256
0aaab83e4ee1cbef96eb1c99008d6dac63984bcf663dbcca882642c306ad1247
-
SHA512
37841887a4a9ef7139e5e00efcdd9380773c0887b5947c38e8ebc1416f7299afac3b7d476b9874048311ed0eb11fe008c9faa1b311d06ee2de8ee384c3d47b01
-
SSDEEP
12288:9VNKM9DrvTSo33XBqrXqi23QSUiG0wJ7ZnNXN72BDsdbB6ywegXp0lZBCog30m85:f9DrTx33X6hS7GFNh2BQdQywyIxo
Static task
static1
Behavioral task
behavioral1
Sample
AWB_SHIPPING_DOC_SCAN11082020 PD.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
AWB_SHIPPING_DOC_SCAN11082020 PD.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
themanisgood
Targets
-
-
Target
AWB_SHIPPING_DOC_SCAN11082020 PD.exe
-
Size
878KB
-
MD5
0727f8ac55ce1e6adbe159d54f42f29a
-
SHA1
4a4d49c35be4a2e575d7b9aa5a05fd39f52000f6
-
SHA256
35cf2685398fc142eba79d01a6c2529c29a0f69b058108e80f8be8ed8dec3a59
-
SHA512
7e67a5b33528dc371b52ea6f0cfd5fc994dff339f8d38209f033c3e20d1a0a44475df4ac06c547b47fc3433458d5d9ee3881b7aa1aebd0e727e6e5f420b583e8
-
SSDEEP
12288:BRnLvZb2uUPQxLfIAuXC8Yfc37Ze/B8AU6PB0lMfJ5FB+FofbP7r9r/+pppppppn:vnpfCQxjIWErsZ8/6PEcfB5fb1q
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1