General

  • Target

    bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118

  • Size

    928KB

  • Sample

    240618-sb8tcasgmn

  • MD5

    bc8c9c47fbc12ecf67d1d2db3945475c

  • SHA1

    206b5978993ebe4c257a9fb4d020589468118d44

  • SHA256

    1371ed0e3652cdad077d790e54feec632246b2c457ce225a7536b0fb9d4489d7

  • SHA512

    3ea78baee9f493de47f5b746525e9e68919bda31654c15acadc18957ecfa50f6193d4bc35db8fdc3d1c46e65b7fe8d38a00dd72b3181f23f0ef48a45182ff1eb

  • SSDEEP

    24576:M5/eqDVN7IQhqbY82pVNjEFG1+2zLwfaUm:MVeqx6QhqYXtEFdA

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kissme4eva

Targets

    • Target

      bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118

    • Size

      928KB

    • MD5

      bc8c9c47fbc12ecf67d1d2db3945475c

    • SHA1

      206b5978993ebe4c257a9fb4d020589468118d44

    • SHA256

      1371ed0e3652cdad077d790e54feec632246b2c457ce225a7536b0fb9d4489d7

    • SHA512

      3ea78baee9f493de47f5b746525e9e68919bda31654c15acadc18957ecfa50f6193d4bc35db8fdc3d1c46e65b7fe8d38a00dd72b3181f23f0ef48a45182ff1eb

    • SSDEEP

      24576:M5/eqDVN7IQhqbY82pVNjEFG1+2zLwfaUm:MVeqx6QhqYXtEFdA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks