General

  • Target

    f0714637753e9138f2b4119fb5e46086_JaffaCakes118

  • Size

    515KB

  • Sample

    240921-xk64bsxglc

  • MD5

    f0714637753e9138f2b4119fb5e46086

  • SHA1

    85eddb2e153391b95b920447fd4741c527e0f411

  • SHA256

    970c4fa87fa25321d0c21249ef8eae46ab39061b3839266b49874e754c24d146

  • SHA512

    0c60e068ab6aebb65e34b91e0cb69fd683a2d5ec1b26c54f03ab529dcc9e5c9223ccb49ba572223600576bd531aef18680063cf51d0d2cf45cfc2ac6f3a919aa

  • SSDEEP

    12288:R3epevJWiIWxP4UHyB5oOcsXHuYfnCkVL4lLKQhSZvcO9qBdiG3:gpqJWiVxP4UHyB5NcslfnCkViWKlnn3

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Simple262627

Targets

    • Target

      Scan docs.exe

    • Size

      1.0MB

    • MD5

      667dff5fe5e685c40701d59e912fab36

    • SHA1

      2039240f535f75dbb43abfd7f9f8883593b5723a

    • SHA256

      a863c5d16b5aa24f51529b7482d42401caf457ef0560545725be60bbbc16bd6a

    • SHA512

      02effb668427a14349a276f5df9a25e321f5cf243f4bd2b7b6d768048c8bd0ee5215c6601dfce1b9a9151bcf796b584405c3af64e9dd320c9148eaaba35c25e8

    • SSDEEP

      24576:wgIIOXml5rD77MgdFjbh9EbKUFZzVdfML:wa9vb75IZz+

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks