Overview

overview

10

Static

static

3

300f3f1f1a...18.exe

windows7-x64

3

300f3f1f1a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe

  • Size

    802KB

  • MD5

    300f3f1f1a66b1e440cbdc4efd14e2ef

  • SHA1

    8e1043d8c4b2315fba6d8a9692846f8791c22436

  • SHA256

    71609c370ed4d3d62069401d753b937faf2dc66c0003409999946f5eb1046816

  • SHA512

    a176a7f2d87f8c77b72ad484f315af203502829ddbdaa2d24fe48d656bf65b3166f2cb452067e1b0ef8b4aaa3fa7a4daf32eee65a1b434e44a438e5b1c0c452e

  • SSDEEP

    12288:tt0Q5JEq/y6INX6LRgU7e9OmunzkiL3TJjcKhX3ak0xN:/0kGq/wKgDO3QMJjcKhHaj

Score
10/10
agentteslacollectioncredential_accessdefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.karanex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    roz%KtT3

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • AgentTesla payload 1 IoCs
  • System Binary Proxy Execution: InstallUtil 1 TTPs 2 IoCs

    Abuse InstallUtil to proxy execution of malicious code.

    defense_evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118.exe"
    1⤵
    • System Binary Proxy Execution: InstallUtil
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:1516
    • C:\Users\Admin\AppData\Roaming\MAINPROC.exe
      "C:\Users\Admin\AppData\Roaming\MAINPROC.exe"
      2⤵
      • System Binary Proxy Execution: InstallUtil
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2124
      • C:\Users\Admin\AppData\Local\Temp\smss.exe
        "C:\Users\Admin\AppData\Local\Temp\smss.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smss.exe.log
    Filesize

    1KB

    MD5

    7dca233df92b3884663fa5a40db8d49c

    SHA1

    208b8f27b708c4e06ac37f974471cc7b29c29b60

    SHA256

    90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

    SHA512

    d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smss.exe
    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smss.txt
    Filesize

    54B

    MD5

    86a21c3a4185acba882d0ad439c5f25e

    SHA1

    c9d3483ed564597f30543d80921685801ed02929

    SHA256

    b69dc469e42ac42f8f1e73c51cd1d1508b4285a5f5ff96283d34819de777104f

    SHA512

    fa5731c1a5ba86354212a5bb23cb00fb21d62b6becebaa927a50e7a4bcd3a1d958565b93037535377c233a118b86a37840c02dd08a1e752c1c56a2ef53c70256

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smss.txt
    Filesize

    56B

    MD5

    3250194993d3e09e333d912923012f76

    SHA1

    e317c8c42aeceef75bc9680d1ccd1d6084a535fd

    SHA256

    7c8e2a6e633f3803f6932841236d08a3506088180363c63319fb88ce940dca21

    SHA512

    ce1a73def6ab6001164ccce09e25409828bb3e8f8207d11ebe8ab27fd77fe8111558c1710e07d243106c8210139937f7aba1b899ef93a0f73213fb70c02118f5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MAINPROC.exe
    Filesize

    802KB

    MD5

    300f3f1f1a66b1e440cbdc4efd14e2ef

    SHA1

    8e1043d8c4b2315fba6d8a9692846f8791c22436

    SHA256

    71609c370ed4d3d62069401d753b937faf2dc66c0003409999946f5eb1046816

    SHA512

    a176a7f2d87f8c77b72ad484f315af203502829ddbdaa2d24fe48d656bf65b3166f2cb452067e1b0ef8b4aaa3fa7a4daf32eee65a1b434e44a438e5b1c0c452e

    Download Submit

  • memory/1940-28-0x0000000008B50000-0x0000000008B64000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1940-25-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1940-56-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1940-26-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1940-27-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1940-37-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1940-29-0x0000000000A60000-0x0000000000A66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1940-31-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2124-32-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2124-61-0x0000000006350000-0x000000000635A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2124-60-0x0000000005FC0000-0x0000000006010000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2124-59-0x0000000005D60000-0x0000000005DC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2124-58-0x0000000005100000-0x0000000005118000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2336-24-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2336-5-0x0000000006D20000-0x00000000072C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2336-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2336-4-0x00000000066D0000-0x0000000006762000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2336-3-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2336-2-0x0000000005930000-0x00000000059CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2336-1-0x0000000000EA0000-0x0000000000F6E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2336-7-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2336-6-0x00000000069F0000-0x0000000006A28000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2336-12-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2336-10-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2336-8-0x00000000750BE000-0x00000000750BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5008-48-0x0000000000EB0000-0x0000000000ECA000-memory.dmp

    Filesize

    104KB

    Download