Overview

overview

10

Static

static

3

JaffaCakes...9f.exe

windows10-2004-x64

10

JaffaCakes...9f.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/04/2025, 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_d0bfe83ba7349d6823585dadc521fd9f.exe

  • Size

    39KB

  • MD5

    d0bfe83ba7349d6823585dadc521fd9f

  • SHA1

    b91c5b421e7732646bc8605f0c2bdf24142cf531

  • SHA256

    94d0424230c530aeb45ebfd0e9e27017e72d4fbb2aec516c5fdf6a70beb6258d

  • SHA512

    de0eb5f52a5de1cd571098c1706221a89a658790394710562efa8c1a630ca520ed49e59cbe1e3cb73b8f2e14f5305e16babbba0fdc66b06c1584ec22f6e4d720

  • SSDEEP

    384:v8Zirz04kYcm5oRVPUn30CNvkD28bhA1xZUtO4f54A:vJi+5uVPUn30ev+HbhO4f54A

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0bfe83ba7349d6823585dadc521fd9f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0bfe83ba7349d6823585dadc521fd9f.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\WINDOWS\system.exe
      "C:\WINDOWS\system.exe" 0
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2576
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\WINDOWS\system.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5872
    • C:\WINDOWS\system.exe
      C:\WINDOWS\system.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4980

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system.exe
    Filesize

    39KB

    MD5

    5692a0e96567c5616698c2570811c160

    SHA1

    381a9c214c6658ab48500b6cb9fd6a3124db96b4

    SHA256

    4f20dc812e6264bd7c7a6eda20a291d103243f9225ba0b75d7fdf2f12641d0c1

    SHA512

    2da3949926a7d145ae52007120d7e996a4535c74839b5fa7b247cad58fe2ef20626eb882f72c91127a8631f33b2464b56a247f975390df287f4df7079475a9ad

    Download Submit