General

  • Target

    e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240916-xaew4atdlm

  • MD5

    e55fedd6c22acd3a7f5952c827f1dd3c

  • SHA1

    0571e0f30bca6b88d569f035097600de639c6a44

  • SHA256

    627f8214e9589ca767888fd3a4ad42ad7d0aa1dd422f5006538ed5e422c21f38

  • SHA512

    8adb9faf3aae6c0dce6d90af0f64017ce3de698f4a40b7159fba6b6eca5cec40df3e29f56a2a04a65f596028324801c5946df2e5ed176d5659a2e17a2eedce1c

  • SSDEEP

    12288:+ALF+FEkNXkH62mgZ6qO23a0c1LD33T38Iu65nDz4o5LePnR1HvH9nc+Hoq:ZsEkNMmB3L4WI15lvKkoq

Malware Config

Targets

    • Target

      e55fedd6c22acd3a7f5952c827f1dd3c_JaffaCakes118

    • Size

      1.3MB

    • MD5

      e55fedd6c22acd3a7f5952c827f1dd3c

    • SHA1

      0571e0f30bca6b88d569f035097600de639c6a44

    • SHA256

      627f8214e9589ca767888fd3a4ad42ad7d0aa1dd422f5006538ed5e422c21f38

    • SHA512

      8adb9faf3aae6c0dce6d90af0f64017ce3de698f4a40b7159fba6b6eca5cec40df3e29f56a2a04a65f596028324801c5946df2e5ed176d5659a2e17a2eedce1c

    • SSDEEP

      12288:+ALF+FEkNXkH62mgZ6qO23a0c1LD33T38Iu65nDz4o5LePnR1HvH9nc+Hoq:ZsEkNMmB3L4WI15lvKkoq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks