Malware Analysis Report

2024-11-13 14:21

Sample ID 240617-yxp61ssdme
Target b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118
SHA256 3ecbe05c96441e337bd3f253281a51f5a9d1bc94beefcb166b32be88600cec57
Tags
agenttesla collection execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ecbe05c96441e337bd3f253281a51f5a9d1bc94beefcb166b32be88600cec57

Threat Level: Known bad

The file b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection execution keylogger persistence spyware stealer trojan

AgentTesla

AgentTesla payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Executes dropped EXE

Adds Run key to start application

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious use of FindShellTrayWindow

outlook_office_path

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:10

Reported

2024-06-17 20:12

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\gqr.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZizeMHLJHw = "C:\\Users\\Public\\ZizeMHLJHw.vbs" C:\Users\Public\gqr.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2052 set thread context of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Public\gqr.exe N/A
N/A N/A C:\Users\Public\gqr.exe N/A
N/A N/A C:\Users\Public\gqr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Public\gqr.exe N/A
N/A N/A C:\Users\Public\gqr.exe N/A
N/A N/A C:\Users\Public\gqr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\gqr.exe
PID 1304 wrote to memory of 2052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\gqr.exe
PID 1304 wrote to memory of 2052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\gqr.exe
PID 1304 wrote to memory of 2052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\gqr.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Public\gqr.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1

C:\Users\Public\gqr.exe

"C:\Users\Public\gqr.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.194.215.63:80 checkip.amazonaws.com tcp

Files

memory/1304-4-0x000007FEF635E000-0x000007FEF635F000-memory.dmp

memory/1304-5-0x000000001B570000-0x000000001B852000-memory.dmp

memory/1304-7-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

memory/1304-6-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/1304-8-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

memory/1304-9-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

memory/1304-10-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

C:\Users\Public\gqr.exe

MD5 89374e026f881905e2a0b9b23e418019
SHA1 89719842e031bdcf1af0a151f27d01a8c47c8f53
SHA256 aa12a4fa654fc07c9fd4d4b98c6b48c353cb6222eb31cc49d02298d028ff0f35
SHA512 12e335f59241714269b29819cc427185a684f20688917afd2e4887b4f4d7cbae545a9ba83f496cb23ab9d48f3cbaa101c20447d5853468b9dd6a82b839806199

memory/1304-16-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp

memory/2052-19-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2696-20-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-28-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-21-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-27-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2696-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 20:10

Reported

2024-06-17 20:12

Platform

win10v2004-20240226-en

Max time kernel

11s

Max time network

146s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1

C:\Users\Public\xjd.exe

"C:\Users\Public\xjd.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 vikashs-adcoconstruct.com udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 34.251.61.44:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 44.61.251.34.in-addr.arpa udp
US 8.8.8.8:53 215.169.36.23.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 vikashs-adcoconstruct.com udp

Files

memory/1448-0-0x00007FFFA5283000-0x00007FFFA5285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_us1jendn.1mv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1448-10-0x0000018EEC930000-0x0000018EEC952000-memory.dmp

memory/1448-11-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp

memory/1448-12-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp

memory/1448-13-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp

C:\Users\Public\xjd.exe

MD5 8c8a19edc38f536a22dce68b3cecf415
SHA1 b74f0dc93d83e994b76e39ebb24b6d74cded43cf
SHA256 a323c9dd45be91d1e2f1a081a42acb173850b0b112c9cb5259409f6293fe39e6
SHA512 532cb4637316f1f1555cd9917f6b2e70e5d35ae9cde5404ffe0ee871672bb8ec07b608c6811052a91bc82fdba4e7a733289895b5a5d3cd6a5109e184b606a4e4

memory/1448-19-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp

C:\Users\Public\xjd.exe

MD5 2eda8db7277e242186dd5f3f4a8eaea6
SHA1 f839c8ce8b2c1c4b1ab4de972d036d4644e8c277
SHA256 d509c80a6a5298ce55d9467b807feedb0bce9626149b0e7baae41ff576902529
SHA512 0012aaa5910b49bb81848878c97a4fe7c36600195b76278aa86ed25fdef41ad68d2c646b69398453a98dbb5a7b537634685fe4c38f41aba08353a9a006420b71

memory/2644-23-0x0000000001500000-0x0000000001501000-memory.dmp

memory/3884-24-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3884-29-0x0000000074352000-0x0000000074353000-memory.dmp

memory/3884-30-0x0000000074350000-0x0000000074901000-memory.dmp

memory/3884-31-0x0000000074350000-0x0000000074901000-memory.dmp

memory/3884-32-0x0000000074352000-0x0000000074353000-memory.dmp

memory/3884-33-0x0000000074350000-0x0000000074901000-memory.dmp

memory/3884-40-0x0000000074350000-0x0000000074901000-memory.dmp