General
-
Target
c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118
-
Size
3.6MB
-
Sample
240826-xxrt6s1aqc
-
MD5
c3a6abd0693f51c606a76e17f84d29a0
-
SHA1
86a54e72adf557aa38eb80bbece222f48cfaa99e
-
SHA256
99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc
-
SHA512
27a0e3ee1fd222d66a62fcca12e04e8d603be79fe80fb05a9feb9832645af767dd9f06847854593b052d6241d6c13f423aa8b6ec779cb34e166a0d4cd485617a
-
SSDEEP
12288:MKVACoT+xvT3hUNKEfM5DV4g+Uiyb9nkSOxeQ7vA8SrokzQvnKs/4SowmmKa1gcR:nuZrgHhnHENScLvKs/4SJBxTha8MGpn
Behavioral task
behavioral1
Sample
c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
c3a6abd0693f51c606a76e17f84d29a0_JaffaCakes118
-
Size
3.6MB
-
MD5
c3a6abd0693f51c606a76e17f84d29a0
-
SHA1
86a54e72adf557aa38eb80bbece222f48cfaa99e
-
SHA256
99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc
-
SHA512
27a0e3ee1fd222d66a62fcca12e04e8d603be79fe80fb05a9feb9832645af767dd9f06847854593b052d6241d6c13f423aa8b6ec779cb34e166a0d4cd485617a
-
SSDEEP
12288:MKVACoT+xvT3hUNKEfM5DV4g+Uiyb9nkSOxeQ7vA8SrokzQvnKs/4SowmmKa1gcR:nuZrgHhnHENScLvKs/4SJBxTha8MGpn
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1