General
-
Target
b8977f0dbeb3062d7172c2b739f37f4c_JaffaCakes118
-
Size
543KB
-
Sample
240617-pjxjhazgpb
-
MD5
b8977f0dbeb3062d7172c2b739f37f4c
-
SHA1
5311fb7332c54f2ef9618da5fe7d2e45537082af
-
SHA256
e70c09c47308a13acff17e7e73ae9d2f0d8f697c1e1cf7d02ab786435c0d0d07
-
SHA512
022af55742b4f948c37fad65607fae70042677f5c34fc679bd143f7c80a6f25f8fa46a4df51acf2852b258761ff8a1753e5a2b4ff9be3fbe6f130e877e5ad834
-
SSDEEP
12288:ixMjQq3TE4kUsfp2wzKq8sUoeayAq956hMbcIApqBZFMIIc:ix6z44OfpEu7NyAO+MvuqBZFM7
Static task
static1
Behavioral task
behavioral1
Sample
b8977f0dbeb3062d7172c2b739f37f4c_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b8977f0dbeb3062d7172c2b739f37f4c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pwmtdubai.com - Port:
587 - Username:
[email protected] - Password:
B?S(0YanV<H
Extracted
Protocol: smtp- Host:
mail.pwmtdubai.com - Port:
587 - Username:
[email protected] - Password:
B?S(0YanV<H
Targets
-
-
Target
b8977f0dbeb3062d7172c2b739f37f4c_JaffaCakes118
-
Size
543KB
-
MD5
b8977f0dbeb3062d7172c2b739f37f4c
-
SHA1
5311fb7332c54f2ef9618da5fe7d2e45537082af
-
SHA256
e70c09c47308a13acff17e7e73ae9d2f0d8f697c1e1cf7d02ab786435c0d0d07
-
SHA512
022af55742b4f948c37fad65607fae70042677f5c34fc679bd143f7c80a6f25f8fa46a4df51acf2852b258761ff8a1753e5a2b4ff9be3fbe6f130e877e5ad834
-
SSDEEP
12288:ixMjQq3TE4kUsfp2wzKq8sUoeayAq956hMbcIApqBZFMIIc:ix6z44OfpEu7NyAO+MvuqBZFM7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1