Analysis Overview
SHA256
3ecbe05c96441e337bd3f253281a51f5a9d1bc94beefcb166b32be88600cec57
Threat Level: Known bad
The file b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads WinSCP keys stored on the system
Executes dropped EXE
Adds Run key to start application
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Suspicious use of FindShellTrayWindow
outlook_office_path
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 20:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 20:10
Reported
2024-06-17 20:12
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZizeMHLJHw = "C:\\Users\\Public\\ZizeMHLJHw.vbs" | C:\Users\Public\gqr.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2052 set thread context of 2696 | N/A | C:\Users\Public\gqr.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
| N/A | N/A | C:\Users\Public\gqr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1
C:\Users\Public\gqr.exe
"C:\Users\Public\gqr.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.194.215.63:80 | checkip.amazonaws.com | tcp |
Files
memory/1304-4-0x000007FEF635E000-0x000007FEF635F000-memory.dmp
memory/1304-5-0x000000001B570000-0x000000001B852000-memory.dmp
memory/1304-7-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp
memory/1304-6-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/1304-8-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp
memory/1304-9-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp
memory/1304-10-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp
C:\Users\Public\gqr.exe
| MD5 | 89374e026f881905e2a0b9b23e418019 |
| SHA1 | 89719842e031bdcf1af0a151f27d01a8c47c8f53 |
| SHA256 | aa12a4fa654fc07c9fd4d4b98c6b48c353cb6222eb31cc49d02298d028ff0f35 |
| SHA512 | 12e335f59241714269b29819cc427185a684f20688917afd2e4887b4f4d7cbae545a9ba83f496cb23ab9d48f3cbaa101c20447d5853468b9dd6a82b839806199 |
memory/1304-16-0x000007FEF60A0000-0x000007FEF6A3D000-memory.dmp
memory/2052-19-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2696-20-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2696-28-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2696-21-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2696-27-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2696-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 20:10
Reported
2024-06-17 20:12
Platform
win10v2004-20240226-en
Max time kernel
11s
Max time network
146s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b9d07b3637c555beadeaaed0cb64851e_JaffaCakes118.ps1
C:\Users\Public\xjd.exe
"C:\Users\Public\xjd.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vikashs-adcoconstruct.com | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 34.251.61.44:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 44.61.251.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.169.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.77.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vikashs-adcoconstruct.com | udp |
Files
memory/1448-0-0x00007FFFA5283000-0x00007FFFA5285000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_us1jendn.1mv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1448-10-0x0000018EEC930000-0x0000018EEC952000-memory.dmp
memory/1448-11-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/1448-12-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/1448-13-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
C:\Users\Public\xjd.exe
| MD5 | 8c8a19edc38f536a22dce68b3cecf415 |
| SHA1 | b74f0dc93d83e994b76e39ebb24b6d74cded43cf |
| SHA256 | a323c9dd45be91d1e2f1a081a42acb173850b0b112c9cb5259409f6293fe39e6 |
| SHA512 | 532cb4637316f1f1555cd9917f6b2e70e5d35ae9cde5404ffe0ee871672bb8ec07b608c6811052a91bc82fdba4e7a733289895b5a5d3cd6a5109e184b606a4e4 |
memory/1448-19-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
C:\Users\Public\xjd.exe
| MD5 | 2eda8db7277e242186dd5f3f4a8eaea6 |
| SHA1 | f839c8ce8b2c1c4b1ab4de972d036d4644e8c277 |
| SHA256 | d509c80a6a5298ce55d9467b807feedb0bce9626149b0e7baae41ff576902529 |
| SHA512 | 0012aaa5910b49bb81848878c97a4fe7c36600195b76278aa86ed25fdef41ad68d2c646b69398453a98dbb5a7b537634685fe4c38f41aba08353a9a006420b71 |
memory/2644-23-0x0000000001500000-0x0000000001501000-memory.dmp
memory/3884-24-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3884-29-0x0000000074352000-0x0000000074353000-memory.dmp
memory/3884-30-0x0000000074350000-0x0000000074901000-memory.dmp
memory/3884-31-0x0000000074350000-0x0000000074901000-memory.dmp
memory/3884-32-0x0000000074352000-0x0000000074353000-memory.dmp
memory/3884-33-0x0000000074350000-0x0000000074901000-memory.dmp
memory/3884-40-0x0000000074350000-0x0000000074901000-memory.dmp