Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
Jailkeeper.bat.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Jailkeeper.bat.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Jackhead/keelhauls.scr
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Jackhead/keelhauls.scr
Resource
win10v2004-20240611-en
General
-
Target
Jailkeeper.bat.exe
-
Size
858KB
-
MD5
c7eefc30a9cdc5bab3269cefde2d221e
-
SHA1
27914bc81bdc74d9607784d9e239f5437b1e8cb1
-
SHA256
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
-
SHA512
fce33213726f84946162e2c115f67dc4dbfe60af9ca6b6ceb75d576f9370abc98ed0309acf617a2c6f34ffc023632ce1b32391716190980aceb4af84dce3798c
-
SSDEEP
24576:XcIjUna3iVPF+zgyKKht6APjMtiVBsRXRU:kbF50httQbi
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL 1 IoCs
Processes:
Jailkeeper.bat.exepid process 2076 Jailkeeper.bat.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Jailkeeper.bat.exepid process 2576 Jailkeeper.bat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Jailkeeper.bat.exeJailkeeper.bat.exepid process 2076 Jailkeeper.bat.exe 2576 Jailkeeper.bat.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Jailkeeper.bat.exedescription pid process target process PID 2076 set thread context of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe -
Drops file in Windows directory 1 IoCs
Processes:
Jailkeeper.bat.exedescription ioc process File opened for modification C:\Windows\reassigned\sandi.ini Jailkeeper.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Jailkeeper.bat.exepid process 2576 Jailkeeper.bat.exe 2576 Jailkeeper.bat.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Jailkeeper.bat.exepid process 2076 Jailkeeper.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Jailkeeper.bat.exedescription pid process Token: SeDebugPrivilege 2576 Jailkeeper.bat.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Jailkeeper.bat.exedescription pid process target process PID 2076 wrote to memory of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe PID 2076 wrote to memory of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe PID 2076 wrote to memory of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe PID 2076 wrote to memory of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe PID 2076 wrote to memory of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe PID 2076 wrote to memory of 2576 2076 Jailkeeper.bat.exe Jailkeeper.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Jailkeeper.bat.exe"C:\Users\Admin\AppData\Local\Temp\Jailkeeper.bat.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Jailkeeper.bat.exe"C:\Users\Admin\AppData\Local\Temp\Jailkeeper.bat.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso2B28.tmp\System.dllFilesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
memory/2076-25-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2576-26-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2576-27-0x00000000004A0000-0x0000000001502000-memory.dmpFilesize
16.4MB
-
memory/2576-28-0x00000000004A0000-0x00000000004E2000-memory.dmpFilesize
264KB