General
-
Target
d6c086bd2cb9f0bad442d057fb922d76_JaffaCakes118
-
Size
1012KB
-
Sample
240909-vkzyxazblr
-
MD5
d6c086bd2cb9f0bad442d057fb922d76
-
SHA1
c6d62de15313918968ca2de3cd4233d2177fa848
-
SHA256
753aad9e9c12de41f51b1316c4aa6b50c3f359f12b09a72ece99bd6cce2e6537
-
SHA512
869757a0bd7852656c0694564dc21cd577a90b6cfa1c67bad3db61288bd951b55969e62b24f7e0ddad516bf98c7b046b20a95535a637650d9cef0b8b03faac9b
-
SSDEEP
12288:hEt8ZPcBLP41FUCtmHlgDvq7BOTszKS6mCZ0e8kcJ+:hEt8a5gbUFHA0By0e5cJ+
Malware Config
Targets
-
-
Target
d6c086bd2cb9f0bad442d057fb922d76_JaffaCakes118
-
Size
1012KB
-
MD5
d6c086bd2cb9f0bad442d057fb922d76
-
SHA1
c6d62de15313918968ca2de3cd4233d2177fa848
-
SHA256
753aad9e9c12de41f51b1316c4aa6b50c3f359f12b09a72ece99bd6cce2e6537
-
SHA512
869757a0bd7852656c0694564dc21cd577a90b6cfa1c67bad3db61288bd951b55969e62b24f7e0ddad516bf98c7b046b20a95535a637650d9cef0b8b03faac9b
-
SSDEEP
12288:hEt8ZPcBLP41FUCtmHlgDvq7BOTszKS6mCZ0e8kcJ+:hEt8a5gbUFHA0By0e5cJ+
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1