Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 13:00
Static task
static1
Behavioral task
behavioral1
Sample
e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe
-
Size
882KB
-
MD5
e03c44769786da6c582e739e7710bbc3
-
SHA1
d3fff948a5c25bb07f06de7134ce5a88dae701a6
-
SHA256
119104fb2d65725f9acd015a1478e6f7064ebae5e904e4e2ea783a5cf8f472d4
-
SHA512
b5664471caeb289421bb591c126117f1f3ce7bf58d627633e58211e0865873da951ef9c6aa995d6a69ecfb3b318cb083ad460458792976aadd0a27e044368a80
-
SSDEEP
12288:sNOUj6hvKElTXjkztKD3ugnM6Ss7t6E6wtsjgxAZBP8tSaTO2r8sGIq0kuJpk6:kO46E6TX8M3nM6hUTj5P8Pa2wsgGJpk6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 7 IoCs
resource yara_rule behavioral2/memory/4304-17-0x0000000000400000-0x00000000004B7000-memory.dmp family_agenttesla behavioral2/memory/4304-23-0x0000000000400000-0x00000000004B7000-memory.dmp family_agenttesla behavioral2/memory/4304-22-0x0000000000400000-0x00000000004B7000-memory.dmp family_agenttesla behavioral2/memory/4304-21-0x0000000000960000-0x00000000009B6000-memory.dmp family_agenttesla behavioral2/memory/4304-20-0x0000000000960000-0x00000000009B6000-memory.dmp family_agenttesla behavioral2/memory/4304-34-0x0000000000400000-0x00000000004B7000-memory.dmp family_agenttesla behavioral2/memory/4304-35-0x0000000000400000-0x00000000004B7000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 2 IoCs
pid Process 3220 myneworigtjoe.exe 4304 myneworigtjoe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4304-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4304-17-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4304-23-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4304-22-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4304-13-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 myneworigtjoe.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 myneworigtjoe.exe Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 myneworigtjoe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" myneworigtjoe.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3220 set thread context of 4304 3220 myneworigtjoe.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language myneworigtjoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language myneworigtjoe.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\myneworigoe\myneworigtjoe.exe:ZoneIdentifier e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\NewApp\NewApp.exe\:ZoneIdentifier:$DATA myneworigtjoe.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2456 e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe 2456 e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe 3220 myneworigtjoe.exe 3220 myneworigtjoe.exe 4304 myneworigtjoe.exe 4304 myneworigtjoe.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3220 myneworigtjoe.exe 3220 myneworigtjoe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4304 myneworigtjoe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2456 wrote to memory of 3220 2456 e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe 86 PID 2456 wrote to memory of 3220 2456 e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe 86 PID 2456 wrote to memory of 3220 2456 e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe 86 PID 3220 wrote to memory of 4304 3220 myneworigtjoe.exe 87 PID 3220 wrote to memory of 4304 3220 myneworigtjoe.exe 87 PID 3220 wrote to memory of 4304 3220 myneworigtjoe.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 myneworigtjoe.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 myneworigtjoe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e03c44769786da6c582e739e7710bbc3_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Roaming\myneworigoe\myneworigtjoe.exe"C:\Users\Admin\AppData\Roaming\myneworigoe\myneworigtjoe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Roaming\myneworigoe\myneworigtjoe.exe"C:\Users\Admin\AppData\Roaming\myneworigoe\myneworigtjoe.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4304
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
882KB
MD5e03c44769786da6c582e739e7710bbc3
SHA1d3fff948a5c25bb07f06de7134ce5a88dae701a6
SHA256119104fb2d65725f9acd015a1478e6f7064ebae5e904e4e2ea783a5cf8f472d4
SHA512b5664471caeb289421bb591c126117f1f3ce7bf58d627633e58211e0865873da951ef9c6aa995d6a69ecfb3b318cb083ad460458792976aadd0a27e044368a80