Analysis
-
max time kernel
124s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe
-
Size
566KB
-
MD5
edb6b198f5291e2f1b7ef1b88ec454b6
-
SHA1
5fcf40c5e5a27f7dc2d2d02ddaeb372b92973617
-
SHA256
6c7b502a4f9a3b16613d4f454cc1eec8c9cc450848f55f1252dfbf36b90c7202
-
SHA512
940a25301a9e8d2843c0a6e820faa20a1e99c9b7cc9e507f23b923d524069348b5987e4abdfd889d3c897fa5dd822895709177559c19879b73163389a5bf2a4e
-
SSDEEP
12288:0J7W4z3sB1ST/5CHxiMHR8+4cOY482mtdfpFx2R:y7WusSbUH3x8+GY482mtFk
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/1680-22-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1680-24-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1680-27-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1680-29-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1680-28-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
pid Process 2248 Microsoft.exe -
Loads dropped DLL 1 IoCs
pid Process 2712 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe -boot" Microsoft.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyApp\\MyApp.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2248 set thread context of 1680 2248 Microsoft.exe 43 -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Microsoft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft.exe\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1680 RegAsm.exe 1680 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe Token: SeDebugPrivilege 2248 Microsoft.exe Token: SeDebugPrivilege 1680 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1680 RegAsm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2180 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2180 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2180 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2180 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2900 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 32 PID 2908 wrote to memory of 2900 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 32 PID 2908 wrote to memory of 2900 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 32 PID 2908 wrote to memory of 2900 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 32 PID 2908 wrote to memory of 2836 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 34 PID 2908 wrote to memory of 2836 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 34 PID 2908 wrote to memory of 2836 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 34 PID 2908 wrote to memory of 2836 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 34 PID 2908 wrote to memory of 2712 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 36 PID 2908 wrote to memory of 2712 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 36 PID 2908 wrote to memory of 2712 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 36 PID 2908 wrote to memory of 2712 2908 edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe 36 PID 2712 wrote to memory of 2248 2712 cmd.exe 38 PID 2712 wrote to memory of 2248 2712 cmd.exe 38 PID 2712 wrote to memory of 2248 2712 cmd.exe 38 PID 2712 wrote to memory of 2248 2712 cmd.exe 38 PID 2248 wrote to memory of 3044 2248 Microsoft.exe 39 PID 2248 wrote to memory of 3044 2248 Microsoft.exe 39 PID 2248 wrote to memory of 3044 2248 Microsoft.exe 39 PID 2248 wrote to memory of 3044 2248 Microsoft.exe 39 PID 2248 wrote to memory of 2104 2248 Microsoft.exe 41 PID 2248 wrote to memory of 2104 2248 Microsoft.exe 41 PID 2248 wrote to memory of 2104 2248 Microsoft.exe 41 PID 2248 wrote to memory of 2104 2248 Microsoft.exe 41 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 PID 2248 wrote to memory of 1680 2248 Microsoft.exe 43 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe:Zone.Identifier"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2180
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe:Zone.Identifier"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\edb6b198f5291e2f1b7ef1b88ec454b6_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft.exe"2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Roaming\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft.exe:Zone.Identifier"4⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft.exe:Zone.Identifier"4⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1680
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
566KB
MD5edb6b198f5291e2f1b7ef1b88ec454b6
SHA15fcf40c5e5a27f7dc2d2d02ddaeb372b92973617
SHA2566c7b502a4f9a3b16613d4f454cc1eec8c9cc450848f55f1252dfbf36b90c7202
SHA512940a25301a9e8d2843c0a6e820faa20a1e99c9b7cc9e507f23b923d524069348b5987e4abdfd889d3c897fa5dd822895709177559c19879b73163389a5bf2a4e