Analysis

  • max time kernel
    116s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 22:07

General

  • Target

    defc91ac80fb820761b7187efd5d1007_JaffaCakes118.exe

  • Size

    763KB

  • MD5

    defc91ac80fb820761b7187efd5d1007

  • SHA1

    ef83b8b97d935b9612ba3676dcb744710db2bde1

  • SHA256

    d0c9890950968fc4d2c9c7c5f5f71b1425ce9f501bfaf05f010131c4df690f88

  • SHA512

    9db63ce18044a27289a6362789c6a0a50c58f18826fafef650d701e0406cc23290c9f065fd27e1f030a1122578b112ff24e1ba629cc3ec6d5d46a45b4f9fdaa2

  • SSDEEP

    12288:uuP5UcKgQvHN7LtEY+iHCYHSuqrCt1OkwV3Hntt0DSFlw+0fIdREu:uu7Kg0LtEGCySQt1hwV3HnllwI

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.1and1.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sug3sol3

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\defc91ac80fb820761b7187efd5d1007_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\defc91ac80fb820761b7187efd5d1007_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\defc91ac80fb820761b7187efd5d1007_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\defc91ac80fb820761b7187efd5d1007_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\defc91ac80fb820761b7187efd5d1007_JaffaCakes118.exe.log

    Filesize

    1KB

    MD5

    e7473990edf901c1e1bef76f6095f55b

    SHA1

    f03b370492bbcc5280982886f9688eb8da762c8f

    SHA256

    5fea4747d97c0dbc097902818ae754eaca7214913a52d3bb1372a6274ce0292a

    SHA512

    ab93f14371dfae858bbad7d98c95055186f60b30937057f71b3d1ad17ab08b5ab7820a33bc5b3e74c485ec38e6b7a1772077add591d313175c10b4ff94bcb689

  • memory/744-10-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/744-16-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/744-3-0x0000000007DB0000-0x0000000008354000-memory.dmp

    Filesize

    5.6MB

  • memory/744-4-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/744-5-0x00000000078A0000-0x0000000007932000-memory.dmp

    Filesize

    584KB

  • memory/744-6-0x00000000049D0000-0x00000000049DA000-memory.dmp

    Filesize

    40KB

  • memory/744-7-0x0000000007A30000-0x0000000007A86000-memory.dmp

    Filesize

    344KB

  • memory/744-11-0x0000000000E90000-0x0000000000EFA000-memory.dmp

    Filesize

    424KB

  • memory/744-9-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

  • memory/744-2-0x0000000007660000-0x00000000076FC000-memory.dmp

    Filesize

    624KB

  • memory/744-8-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

    Filesize

    40KB

  • memory/744-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

  • memory/744-1-0x00000000004D0000-0x0000000000596000-memory.dmp

    Filesize

    792KB

  • memory/4416-19-0x00000000060D0000-0x0000000006136000-memory.dmp

    Filesize

    408KB

  • memory/4416-15-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4416-17-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4416-18-0x0000000005830000-0x0000000005848000-memory.dmp

    Filesize

    96KB

  • memory/4416-12-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

  • memory/4416-20-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4416-21-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB