General

  • Target

    bbbf865eac7a009891e4311dfb6062d0_JaffaCakes118

  • Size

    613KB

  • Sample

    240618-nvhztawelr

  • MD5

    bbbf865eac7a009891e4311dfb6062d0

  • SHA1

    4d10d4f94103f9c2392fe7599575487f883bf68d

  • SHA256

    4ec6f33aed9997c5ae03f1738402336ec6f54ad0e68ccf969d0e0457785f8c76

  • SHA512

    10aa4f7a6f670f8a3832dd7e8d0d28260eaaf425ae951c397137618e5506e6e486f99a4d3d32b88295e011c8f59a15ec9194e3b4d37c86edc8479a5d1bb39b3e

  • SSDEEP

    12288:05gKWEazkvO/vTm9h93h57ZawmLTFZIChfMrJe/ru+qwF7iLP519lnbuf:0dW37vK9hvawSZIPJoru+Zq/H+

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.flood-protection.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    scott2424@

Targets

    • Target

      solution fighting COVID-19_pdf.exe

    • Size

      1.0MB

    • MD5

      9664f1824f7ca683723c94c7d543e554

    • SHA1

      7a49299ed5124cc0305ef270ed003c3bf8cd5996

    • SHA256

      c1e5a204723efe860b161729d087dd50111eba4ab2ad1bc8c2584a2ac888f6f8

    • SHA512

      8adba29cca1f5a0bbe7578a08c96aea7edd83eaefe941264c705b96f8fec7c27e40ac0ff2b79a2594032cbbd64c00346a5613fae38ccc9f0995ac34943f0531e

    • SSDEEP

      24576:+WDwYdxITUmT5ekNRFNQERuDLAsw9NtZcRgHWX3VMAYtL:+ZzUkBRMGuPl4NSvX3VdA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Tasks