General

  • Target

    b86b4604ed6bc8380270cd7112cd32db_JaffaCakes118

  • Size

    631KB

  • Sample

    240617-nsgnzatajl

  • MD5

    b86b4604ed6bc8380270cd7112cd32db

  • SHA1

    7bbe4e8a733aa0d0964aed6b41189caaab37af18

  • SHA256

    0aaab83e4ee1cbef96eb1c99008d6dac63984bcf663dbcca882642c306ad1247

  • SHA512

    37841887a4a9ef7139e5e00efcdd9380773c0887b5947c38e8ebc1416f7299afac3b7d476b9874048311ed0eb11fe008c9faa1b311d06ee2de8ee384c3d47b01

  • SSDEEP

    12288:9VNKM9DrvTSo33XBqrXqi23QSUiG0wJ7ZnNXN72BDsdbB6ywegXp0lZBCog30m85:f9DrTx33X6hS7GFNh2BQdQywyIxo

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    themanisgood

Targets

    • Target

      AWB_SHIPPING_DOC_SCAN11082020 PD.exe

    • Size

      878KB

    • MD5

      0727f8ac55ce1e6adbe159d54f42f29a

    • SHA1

      4a4d49c35be4a2e575d7b9aa5a05fd39f52000f6

    • SHA256

      35cf2685398fc142eba79d01a6c2529c29a0f69b058108e80f8be8ed8dec3a59

    • SHA512

      7e67a5b33528dc371b52ea6f0cfd5fc994dff339f8d38209f033c3e20d1a0a44475df4ac06c547b47fc3433458d5d9ee3881b7aa1aebd0e727e6e5f420b583e8

    • SSDEEP

      12288:BRnLvZb2uUPQxLfIAuXC8Yfc37Ze/B8AU6PB0lMfJ5FB+FofbP7r9r/+pppppppn:vnpfCQxjIWErsZ8/6PEcfB5fb1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks