Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1
Resource
win7-20240508-en
General
-
Target
b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1
-
Size
1.8MB
-
MD5
b9d07b3637c555beadeaaed0cb64851e
-
SHA1
d8310fd8cc651d99cec2645b4025600914d47e0b
-
SHA256
3ecbe05c96441e337bd3f253281a51f5a9d1bc94beefcb166b32be88600cec57
-
SHA512
a9de1899e1845caae1381e973c22f1a1b4a88332099430181dfac0174274266d762120134fef543c19493e7e37a98f55b67cc4759fea69ce3b0c3a9a3c80fe84
-
SSDEEP
24576:IikwFvFYM/ec7VHHKXSo7weddTowzcEqhgY0XeeE/Nf3jswrkalxES3:39ZKM6weDF6hMDONf39kSG2
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2696-28-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/2696-21-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/2696-27-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
gqr.exepid process 2052 gqr.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gqr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZizeMHLJHw = "C:\\Users\\Public\\ZizeMHLJHw.vbs" gqr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.amazonaws.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Public\gqr.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gqr.exedescription pid process target process PID 2052 set thread context of 2696 2052 gqr.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
powershell.exegqr.exeRegAsm.exepid process 1304 powershell.exe 2052 gqr.exe 2696 RegAsm.exe 2696 RegAsm.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 2696 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
gqr.exepid process 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
gqr.exepid process 2052 gqr.exe 2052 gqr.exe 2052 gqr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 2696 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
powershell.exegqr.exedescription pid process target process PID 1304 wrote to memory of 2052 1304 powershell.exe gqr.exe PID 1304 wrote to memory of 2052 1304 powershell.exe gqr.exe PID 1304 wrote to memory of 2052 1304 powershell.exe gqr.exe PID 1304 wrote to memory of 2052 1304 powershell.exe gqr.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe PID 2052 wrote to memory of 2696 2052 gqr.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Public\gqr.exe"C:\Users\Public\gqr.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD589374e026f881905e2a0b9b23e418019
SHA189719842e031bdcf1af0a151f27d01a8c47c8f53
SHA256aa12a4fa654fc07c9fd4d4b98c6b48c353cb6222eb31cc49d02298d028ff0f35
SHA51212e335f59241714269b29819cc427185a684f20688917afd2e4887b4f4d7cbae545a9ba83f496cb23ab9d48f3cbaa101c20447d5853468b9dd6a82b839806199