Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-04-2024 13:48
General
-
Target
fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe
-
Size
496KB
-
MD5
fce6714ae7c53eee2354c0b477d26d62
-
SHA1
0a2ea1fed8387ec2bb074e0ebb88052a8396ad56
-
SHA256
199b81b4be4313d12a38102b5572728eb63c4a13fec35e1192bd7f92ec5828bc
-
SHA512
00c68e8a84bac416fca7aebaa49e4458a30dc409dc19e48c4e32cf69b63adb1332b08bad4a00b85dd7e1edbbaab52b75feb545f11439109558e4e9ca74a6d896
-
SSDEEP
12288:zDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:zEEZBV5jCoFvZsSWG2BdN+w2+O
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\j29oAE.exeC:\Users\Admin\j29oAE.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\duiepuz.exe"C:\Users\Admin\duiepuz.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\2men.exeC:\Users\Admin\2men.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 884⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\22D29\993A6.exe%C:\Users\Admin\AppData\Roaming\22D293⤵
- Executes dropped EXE
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Program Files (x86)\29EE3\lvvm.exe%C:\Program Files (x86)\29EE33⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LP\A672\B2DB.tmp"C:\Program Files (x86)\LP\A672\B2DB.tmp"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\22D29\9EE3.2D2Filesize
600B
MD5bb789f30fbd9b6e7d095fd3906885f3d
SHA14825f71f89df8f38ac63dce46c9143c7cbc3530a
SHA2563e9933b2343cd16cd1005529655ce0f9aae9bcb2a3c5216e9a4377d9f70e9002
SHA512f88020186662f0b781fcbb9102edb87ec22f85045eb285af2b24aca5cc53c0e1e690e6a00475c92aa13389431d16965d65f46b1e63b76181c25bfb44f655c301
-
C:\Users\Admin\AppData\Roaming\22D29\9EE3.2D2Filesize
996B
MD59a62eaff507b873fd36324bcaf79df75
SHA1d266645a05e0590b86bd3e008dc9c632d69a69a0
SHA256d20f8ec3827dd121ab3634ad58873157c569efcf0f8fca653026d9fc0a7fba76
SHA512a1ae9aa1f28021a6ab6ef57c9bfeb67761848da2f6a3f0c8cd975253026a048e72ee7d52049cb207358c651d3d344b5955f4708c799ff49dd7cc785874440573
-
C:\Users\Admin\AppData\Roaming\22D29\9EE3.2D2Filesize
1KB
MD554aae721054d705871b106688a6c2f17
SHA1dfce1c43c1d3a6e28f23d59f5800fc744b854bdd
SHA256a4e117b2d912c1600c02452509bbda8fe8a233dfbad085bd9abf4f643a34b2e2
SHA512d0e5f3fd501681732c6ad26cad7d631a195bcd24345cf9dd3ead2e8756ff29b615d0dca0de30d2cdd0df8d3fbe5252639754381f437c6aa1286ba3d096c4f47c
-
\Program Files (x86)\LP\A672\B2DB.tmpFilesize
96KB
MD56b9ed8570a1857126c8bf99e0663926c
SHA194e08d8a0be09be35f37a9b17ec2130febfa2074
SHA256888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d
SHA51223211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880
-
\Users\Admin\2men.exeFilesize
132KB
MD5945a713b037b50442ec5d18d3dc0d55e
SHA12c8881b327a79fafcce27479b78f05487d93c802
SHA2562da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f
SHA5120eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385
-
\Users\Admin\3men.exeFilesize
271KB
MD50d668203e24463de2bf228f00443b7bc
SHA1eacff981d71f6648f6315e508bfd75e11683dba8
SHA256509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc
SHA5123251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803
-
\Users\Admin\duiepuz.exeFilesize
176KB
MD500be1d6fcd0a1f6f906378856ec3c405
SHA1d414fd68e0abde8ee9e44bccb25301ed614dab1a
SHA256593e6e2ff77e68bf785ef470dd0bdddf153290c5b5cdbe5e36933d824be3e413
SHA5121fc6d3d70b661b7d6cdd6852873f9f37a667b10a96a9c142ca8210dcb3b24bc5e80e9d58e27bccc6d922304319ba448649cb6e3608ad59d518ce020e83b57c0e
-
\Users\Admin\j29oAE.exeFilesize
176KB
MD5c4a634088e095eab98183984bb7252d8
SHA1c205f2c1f8040c9205c6c06accd75c0396c59781
SHA256db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a
SHA512b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e
-
memory/1220-248-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1220-250-0x00000000005A6000-0x00000000005C6000-memory.dmpFilesize
128KB
-
memory/1264-140-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/1264-138-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1264-139-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1264-419-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/1768-434-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/1768-292-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/2192-42-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-53-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-117-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-38-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-46-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-40-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-51-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2192-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2192-55-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2208-246-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2208-120-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2208-136-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2208-121-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/2208-249-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/2344-425-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2344-429-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2344-426-0x00000000004B0000-0x00000000005B0000-memory.dmpFilesize
1024KB
-
memory/2372-62-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2372-68-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2372-65-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2372-66-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2372-49-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2372-56-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2372-52-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2384-122-0x00000000029E0000-0x000000000349A000-memory.dmpFilesize
10.7MB
-
memory/2760-67-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-85-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-124-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-70-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-83-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2760-75-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2820-90-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2820-80-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2820-86-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2820-93-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2820-97-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2820-95-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2820-125-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB