Overview

overview

10

Static

static

3

d40d2f1423...18.exe

windows7-x64

10

d40d2f1423...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d40d2f142363cdf50cf8a5809fe06eb7_JaffaCakes118.exe

  • Size

    582KB

  • MD5

    d40d2f142363cdf50cf8a5809fe06eb7

  • SHA1

    725c0f65b6a0c83a14b27949d5229eb120a60246

  • SHA256

    bbb11db8a10f64cdcb7ab9a166ac71d32d4df4b604d203321c3c211a818d9538

  • SHA512

    8b2467da1a44fedc663cd88c305ae9a2814b42cac2c7d3846bbf8559ee1362b5b1224fbbc85e32ec870f344636c0e1f4d8657c87cee0c2ecf15a73c2add8970b

  • SSDEEP

    12288:ZUYvwyGooEk6RdT5vmhcvK+/SgfpGlJr3WNa9xHVrBp:eUVDk6RdT5Ohc/ShJaaxR

Score
10/10
agentteslacollectioncredential_accessdiscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • AgentTesla payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d40d2f142363cdf50cf8a5809fe06eb7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d40d2f142363cdf50cf8a5809fe06eb7_JaffaCakes118.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Windows security modification
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4968
    • C:\Users\Admin\AppData\Local\Temp\d40d2f142363cdf50cf8a5809fe06eb7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d40d2f142363cdf50cf8a5809fe06eb7_JaffaCakes118.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4408
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2820,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
    1⤵
      PID:888

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    5
    T1552

    Credentials In Files

    4
    T1552.001

    Credentials in Registry

    1
    T1552.002

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    4
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Data from Local System

    4
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncscbawf.j2q.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3648-6-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3648-2-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3648-3-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3648-4-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3648-5-0x0000000074B22000-0x0000000074B23000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-1-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3648-59-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3648-0-0x0000000074B22000-0x0000000074B23000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4408-60-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4408-58-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4408-57-0x0000000074B20000-0x00000000750D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4408-56-0x0000000074B22000-0x0000000074B23000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4408-54-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4968-28-0x0000000071870000-0x0000000072020000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4968-44-0x00000000074A0000-0x00000000074AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4968-20-0x0000000005B70000-0x0000000005EC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4968-25-0x00000000060F0000-0x000000000610E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4968-26-0x0000000006110000-0x000000000615C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4968-29-0x000000006DD10000-0x000000006DD5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4968-13-0x0000000005A20000-0x0000000005A86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4968-27-0x00000000066D0000-0x0000000006702000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4968-41-0x00000000072C0000-0x0000000007363000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4968-40-0x0000000071870000-0x0000000072020000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4968-39-0x00000000066B0000-0x00000000066CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4968-42-0x0000000007A80000-0x00000000080FA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4968-43-0x0000000007430000-0x000000000744A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4968-14-0x0000000005B00000-0x0000000005B66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4968-45-0x00000000076B0000-0x0000000007746000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4968-46-0x0000000007630000-0x0000000007641000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4968-47-0x0000000007660000-0x000000000766E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4968-48-0x0000000007670000-0x0000000007684000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4968-49-0x0000000007770000-0x000000000778A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4968-50-0x0000000007750000-0x0000000007758000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4968-53-0x0000000071870000-0x0000000072020000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4968-12-0x0000000005120000-0x0000000005142000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4968-11-0x0000000071870000-0x0000000072020000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4968-10-0x0000000071870000-0x0000000072020000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4968-9-0x0000000005290000-0x00000000058B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4968-8-0x00000000027C0000-0x00000000027F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4968-7-0x000000007187E000-0x000000007187F000-memory.dmp

      Filesize

      4KB

      Download