Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07-09-2024 14:18
General
-
Target
d2218e8a847345f48ce6595ba1055e29_JaffaCakes118.exe
-
Size
996KB
-
MD5
d2218e8a847345f48ce6595ba1055e29
-
SHA1
468a985b52d39707425162e2c0a2a854c6e37d04
-
SHA256
48120198618df212b02b4e08c9c7a90aea6b61b831faf373733f47f09c0046f3
-
SHA512
c9d3110b77a56af7b3de8cf4152373f023e0ed86afe5008e6e71205ba84d0cd12bf5b4e3cf4c460276c154f633df271769b9e004ab112286538a00ea5170d884
-
SSDEEP
12288:Ta1SY/r3ESmI+Kd0s1Ke9p69PEAWRrEru722H+VEiaDk3DKsbHP:G13D3ESt+KysksphjK5f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.fanosethiopiatours.com - Port:
587 - Username:
[email protected] - Password:
OPtamiue007
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2218e8a847345f48ce6595ba1055e29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2218e8a847345f48ce6595ba1055e29_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gBNjJQsJcikp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CCA.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\d2218e8a847345f48ce6595ba1055e29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2218e8a847345f48ce6595ba1055e29_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD522c599a6970729b4cf8a9233a3032f27
SHA1af78e98d4e16ac11c087f83cc9eecf2947a2097a
SHA2566e247da4966a20ceb73dd45fdb3794462989986ff30f6d55cac32816c08284be
SHA5126e91289551e2a359885bb9527f380700e188389909274e02f65455af5ad0d3101855881f1999aff617fe80f3380eca7956a0d93acc6bd0c533e0596b329a0a89
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
424KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
1016KB