Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 12:42
Static task
static1
Behavioral task
behavioral1
Sample
fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe
-
Size
119KB
-
MD5
fccacf30e6cbe24c44f9174fef8768db
-
SHA1
5a263dc59b4d5457897e93253c35fb265a16b818
-
SHA256
c11371d469895fc561de8e5807557bc8ddfb932372e5af273b416b13ce574f85
-
SHA512
b3bfe18328667da4724c0bd6632ab3f316bb21176745ad81e994436b9c0ed19fde71024b0c51d5d0777697dffa295857ef696e115a992e7e62fda9e331bd0a72
-
SSDEEP
1536:qu3dV+R8oNhPURWbTd1gW1gSxDlNM1FDY5eCKacPm5qitGt43qL5I2yNaLGBGXem:jPfgbh1gW1rxBIxJZPmJGt43qLgSem
Malware Config
Extracted
pony
http://nazarian.pl:8080/pony/gate.php
http://pbx.pc0.ru:8080/pony/gate.php
-
payload_url
http://66.216.91.242/2YtKjEo.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exedescription pid process Token: SeImpersonatePrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeTcbPrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeBackupPrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeRestorePrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exepid process 2136 fccacf30e6cbe24c44f9174fef8768db_JaffaCakes118.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2136-0-0x0000000000230000-0x0000000000247000-memory.dmpFilesize
92KB
-
memory/2136-1-0x0000000000250000-0x0000000000273000-memory.dmpFilesize
140KB
-
memory/2136-2-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2136-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB