General

  • Target

    b8977f0dbeb3062d7172c2b739f37f4c_JaffaCakes118

  • Size

    543KB

  • Sample

    240617-pjxjhazgpb

  • MD5

    b8977f0dbeb3062d7172c2b739f37f4c

  • SHA1

    5311fb7332c54f2ef9618da5fe7d2e45537082af

  • SHA256

    e70c09c47308a13acff17e7e73ae9d2f0d8f697c1e1cf7d02ab786435c0d0d07

  • SHA512

    022af55742b4f948c37fad65607fae70042677f5c34fc679bd143f7c80a6f25f8fa46a4df51acf2852b258761ff8a1753e5a2b4ff9be3fbe6f130e877e5ad834

  • SSDEEP

    12288:ixMjQq3TE4kUsfp2wzKq8sUoeayAq956hMbcIApqBZFMIIc:ix6z44OfpEu7NyAO+MvuqBZFM7

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pwmtdubai.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    B?S(0YanV<H

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pwmtdubai.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    B?S(0YanV<H

Targets

    • Target

      b8977f0dbeb3062d7172c2b739f37f4c_JaffaCakes118

    • Size

      543KB

    • MD5

      b8977f0dbeb3062d7172c2b739f37f4c

    • SHA1

      5311fb7332c54f2ef9618da5fe7d2e45537082af

    • SHA256

      e70c09c47308a13acff17e7e73ae9d2f0d8f697c1e1cf7d02ab786435c0d0d07

    • SHA512

      022af55742b4f948c37fad65607fae70042677f5c34fc679bd143f7c80a6f25f8fa46a4df51acf2852b258761ff8a1753e5a2b4ff9be3fbe6f130e877e5ad834

    • SSDEEP

      12288:ixMjQq3TE4kUsfp2wzKq8sUoeayAq956hMbcIApqBZFMIIc:ix6z44OfpEu7NyAO+MvuqBZFM7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks