Overview

overview

10

Static

static

1

JaffaCakes...0b.ps1

windows7-x64

3

JaffaCakes...0b.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_19dec01dd443f8b82e82a5f5f260be0b.ps1

  • Size

    355KB

  • MD5

    19dec01dd443f8b82e82a5f5f260be0b

  • SHA1

    e77d6ad6acacaccc30dae50608b2c5721ffda526

  • SHA256

    e67bdb94ed97481a1f6fa8790187a39e6f7641ae65f4ef0e601ba9c6da0cfa87

  • SHA512

    9cd0189d07a88b8c11e21c9c796346548cafab4a5f2f98eed7c07ddd40f23921b31e20002ac9b62c29cb9d26037efb9cf29c2594bac6875d85ef3eb7f53cd543

  • SSDEEP

    1536:EUz92i3yJc81fdDuJ8V+5FocQfb1xgHXuCL/iv6+y7X+mw/ie/uNVixz7+TmS5Pt:NsG

Score
10/10
agentteslacollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

http://103.125.190.248/j/p11l/mawa/0b5eace2c983ebeba55b.php

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • AgentTesla payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19dec01dd443f8b82e82a5f5f260be0b.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eoxbjg42\eoxbjg42.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES376.tmp" "c:\Users\Admin\AppData\Local\Temp\eoxbjg42\CSC49CAF11E543046F8955B5112ACDE60D6.TMP"
        3⤵
          PID:2764
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
          PID:4948
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
          • Drops file in Drivers directory
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:1596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES376.tmp
        Filesize

        1KB

        MD5

        bd996dad6cb12c18134558e4b9dc3c25

        SHA1

        e2635e61f8f59027668e40e100b251f0e4af6951

        SHA256

        8c9e83bad1144e1d213209518c0bfa124386e40c5d45734f929d3fa4f9bf62ce

        SHA512

        bbcdf54336fafe9732c3a3e1e83781b6e7230a9bc7a5631c36b5972716dd078e5271aeb186bc7c4d8641b860a11ee0842ea4d6c8debeb050798b4e0380572406

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01bewymu.1jb.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\eoxbjg42\eoxbjg42.dll
        Filesize

        13KB

        MD5

        5be714167dd4d1a75a390b0752665429

        SHA1

        02bc94448b6c0455c3fdb514773ee8da66e60d26

        SHA256

        72ec1970d31546d485fda433f15f27905cc01970671757ac202d0284c298b281

        SHA512

        dd13fed22e5849e1480e374bf8d4ef851fc2c0d6c65c4019a5fa5dd44355bdf591af5ea20074f993f8f2f6c1a28877aa376508dca0d313d2d0dcd8a0eaab365c

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\eoxbjg42\CSC49CAF11E543046F8955B5112ACDE60D6.TMP
        Filesize

        652B

        MD5

        b8b386c81ef2b0c2933a296f9cb428ec

        SHA1

        dcaa5eccd9a860f88a1f8ea7000d652dead5637e

        SHA256

        049d2042c6d495d6fb36ec26a5c00dcc7f17235414cbb5de28e5e4bf3d7aab01

        SHA512

        1c02345c75abeae818d41e5afc298c736759dd9c8049897821a392855297742b38ba7624c9e99d4ea3a661b1461f397cf0200150b1321ce4a4fd02d942740ca8

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\eoxbjg42\eoxbjg42.0.cs
        Filesize

        13KB

        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\eoxbjg42\eoxbjg42.cmdline
        Filesize

        327B

        MD5

        4b805c8a181bcd8c15dd0413be212e6a

        SHA1

        6d875a1e249a529df16bb23c5770f9c64c22b3f0

        SHA256

        5fc62038a70e6277e3b041e0ae0d2405005c9dcaa0c743fbb21071719d2307bb

        SHA512

        599d881dff8a34e7814e5bb84cee13ec35c72c12b0f3beb3e3a94b5989d0c342a954e4db013db17dbea2d3a1941303e4309afb30c4f91c69948a88cd6b2d2064

        Download Submit

      • memory/1596-33-0x0000000004FE0000-0x0000000005072000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1596-32-0x0000000005680000-0x0000000005C24000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1596-39-0x0000000002620000-0x000000000262A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1596-38-0x00000000026A0000-0x00000000026F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1596-36-0x0000000005FE0000-0x0000000006046000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1596-35-0x0000000005160000-0x0000000005178000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1596-28-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1596-34-0x00000000052A0000-0x000000000533C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1960-10-0x0000014E6FD50000-0x0000014E6FD72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1960-0-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1960-31-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1960-26-0x0000014E6FFC0000-0x0000014E6FFCA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1960-13-0x0000014E70180000-0x0000014E701F6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1960-11-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1960-12-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

        Filesize

        10.8MB

        Download