Overview

overview

10

Static

static

3

e11f1e6bd7...18.exe

windows7-x64

10

e11f1e6bd7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe

  • Size

    3.7MB

  • MD5

    e11f1e6bd79d5e12885434dcfd703ae3

  • SHA1

    dffa2772b1f9edf18586d70fe83716a032634570

  • SHA256

    371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d

  • SHA512

    05db661decea32032a418e185a9bece0cb1ee6e06e23e7b0cbcd54798c387b3e2ce800c31b5a947570fcd14d63478a2eb862e60060700a7c6f534c6135a2d0f5

  • SSDEEP

    49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97NfY7+k5K1fyqv+ih69:+tR4xGnCtvwNSK1aqv+4M

Score
10/10
agentteslacredential_accessdiscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Godwin@1234

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • AgentTesla payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe 
      C:\Users\Admin\AppData\Local\Temp\e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bBNRIXym" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2492
      • C:\Users\Admin\AppData\Local\Temp\e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe 
        "{path}"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 516
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2256
    • C:\Users\Admin\AppData\Local\Temp\icsys.ico.exe
      C:\Users\Admin\AppData\Local\Temp\icsys.ico.exe
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2880
      • \??\c:\windows\wininit.exe
        c:\windows\wininit.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2668
      • \??\c:\users\admin\appdata\local\svchost.exe
        c:\users\admin\appdata\local\svchost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • System policy modification
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp
    Filesize

    1KB

    MD5

    ebcb49dd288fb843bbee5744a7897581

    SHA1

    ff47bfa3da3c856fe2cd0b33b0560781f71e49ac

    SHA256

    3c93ed4cc1f7bdc52f1b5bfd3be7ef1c87b4a75a93648f66b6c9930649e5eeb7

    SHA512

    9fa8d37a14d1dd47b6ab9a91e97cb88cef45ee3f22535bc1d2f669eb805f02266a4bd5bc72181b0bc54cf9d7aeb8c417b1c3fcf06df45c33d45ee1519bbf88a1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118.exe 
    Filesize

    603KB

    MD5

    022821920ac46b52a44cdf0196c1b469

    SHA1

    bf036ce07db9edd5128319c1635ce05a1a611f0e

    SHA256

    257f5dd7532b70252668c3572d4be15938e7d2addfc825af0d545e2be750db35

    SHA512

    c074c5e4bd861be1322fc381a6238389f6f633b9873f9bc5701d858d15aa592cec91df67f8dfa218f0a7c910529cbe726f48f2495407c912bc0b3dcc4cd295e6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\icsys.ico.exe
    Filesize

    3.1MB

    MD5

    e5f7631a65e188b5e4c712df3eedfb4f

    SHA1

    78182de0cdf4fd956358c96258fcf9c897109fa9

    SHA256

    d35558550ddc97df1b77c3d4d1327e7282115db4d83386894e756a74633096f0

    SHA512

    83523b3d75c0c292c2e48d7037346890c6451433c5c23dcd77df271b80a4b9fc07fcfd42c9c1047892b11c91b49c9366c7c1622a7604581bc728991f02911b9d

    Download Submit

  • memory/2352-14-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2352-12-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-63-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2532-9-0x00000000748A1000-0x00000000748A2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-13-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2532-10-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2532-86-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2532-11-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2560-84-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-75-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-85-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-73-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-77-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-82-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2560-79-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2668-65-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2668-87-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2668-90-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2668-96-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2880-61-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2880-21-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-66-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3056-88-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3056-91-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3056-95-0x0000000000400000-0x00000000007B5000-memory.dmp

    Filesize

    3.7MB

    Download