General
-
Target
edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118
-
Size
566KB
-
Sample
240920-qz4s7ayhlb
-
MD5
edb6b198f5291e2f1b7ef1b88ec454b6
-
SHA1
5fcf40c5e5a27f7dc2d2d02ddaeb372b92973617
-
SHA256
6c7b502a4f9a3b16613d4f454cc1eec8c9cc450848f55f1252dfbf36b90c7202
-
SHA512
940a25301a9e8d2843c0a6e820faa20a1e99c9b7cc9e507f23b923d524069348b5987e4abdfd889d3c897fa5dd822895709177559c19879b73163389a5bf2a4e
-
SSDEEP
12288:0J7W4z3sB1ST/5CHxiMHR8+4cOY482mtdfpFx2R:y7WusSbUH3x8+GY482mtFk
Malware Config
Targets
-
-
Target
edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118
-
Size
566KB
-
MD5
edb6b198f5291e2f1b7ef1b88ec454b6
-
SHA1
5fcf40c5e5a27f7dc2d2d02ddaeb372b92973617
-
SHA256
6c7b502a4f9a3b16613d4f454cc1eec8c9cc450848f55f1252dfbf36b90c7202
-
SHA512
940a25301a9e8d2843c0a6e820faa20a1e99c9b7cc9e507f23b923d524069348b5987e4abdfd889d3c897fa5dd822895709177559c19879b73163389a5bf2a4e
-
SSDEEP
12288:0J7W4z3sB1ST/5CHxiMHR8+4cOY482mtdfpFx2R:y7WusSbUH3x8+GY482mtFk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1