Analysis
-
max time kernel
90s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20-04-2024 13:48
General
-
Target
fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe
-
Size
496KB
-
MD5
fce6714ae7c53eee2354c0b477d26d62
-
SHA1
0a2ea1fed8387ec2bb074e0ebb88052a8396ad56
-
SHA256
199b81b4be4313d12a38102b5572728eb63c4a13fec35e1192bd7f92ec5828bc
-
SHA512
00c68e8a84bac416fca7aebaa49e4458a30dc409dc19e48c4e32cf69b63adb1332b08bad4a00b85dd7e1edbbaab52b75feb545f11439109558e4e9ca74a6d896
-
SSDEEP
12288:zDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:zEEZBV5jCoFvZsSWG2BdN+w2+O
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 45 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 33 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\j29oAE.exeC:\Users\Admin\j29oAE.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\wauavu.exe"C:\Users\Admin\wauavu.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\2men.exeC:\Users\Admin\2men.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\2men.exe"C:\Users\Admin\2men.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 804⤵
- Program crash
-
-
-
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe2⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\64329\38648.exe%C:\Users\Admin\AppData\Roaming\643293⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\LP\4836\FA49.tmp"C:\Program Files (x86)\LP\4836\FA49.tmp"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\3men.exeC:\Users\Admin\3men.exe startC:\Program Files (x86)\2929F\lvvm.exe%C:\Program Files (x86)\2929F3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del fce6714ae7c53eee2354c0b477d26d62_JaffaCakes118.exe2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2040 -ip 20401⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD56b9ed8570a1857126c8bf99e0663926c
SHA194e08d8a0be09be35f37a9b17ec2130febfa2074
SHA256888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d
SHA51223211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880
-
Filesize
132KB
MD5945a713b037b50442ec5d18d3dc0d55e
SHA12c8881b327a79fafcce27479b78f05487d93c802
SHA2562da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f
SHA5120eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385
-
Filesize
271KB
MD50d668203e24463de2bf228f00443b7bc
SHA1eacff981d71f6648f6315e508bfd75e11683dba8
SHA256509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc
SHA5123251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803
-
Filesize
471B
MD5f3945b57f0f3c105bd40af2901e4822a
SHA193dabbe9a560f3d59ad8ce8d5dc941909fe21ec1
SHA25660ede5fc5d4e90f27afe2e8c8a14ebb0cf75df70ad29f8524f4b748a04203d39
SHA512212a88efd8a79e9b20aa86c83cb3f05e093a9233e4eb7e2d1064c599c8bbb5085b8ef45433d4d6266f80604af3d1e0a29dbbfbe124c5e18710ddb76b1ad2de0f
-
Filesize
412B
MD55ab2d8bd8460ccf6e0de17d31b5822c6
SHA177586c084f96435f630a3b0bb142eeadb2986920
SHA25637cb519a1891e7eded77ea2ada0158043389ac2a9bb042f4f331d47873d7e53f
SHA512f6ca8b11314cd30fa3579a56cc2f1cd7c7268cbe7b1beaf94babed0629b84176ab2b944536c89957b742e964b9064d55eca7fca223867933746c10a3dc11f129
-
Filesize
2KB
MD558e51525c8fb5997f07c58cf062c2e09
SHA1c30ba7e3e24aadee5b24bb85ddfdbcdb4d411ca0
SHA2563124909f18c9af5e802a6da11b71a67aaac1df292529c952dd02b89df9fd92d4
SHA512a0e93c6c7dd862adafd6538ef38550b5e9012e415c6750ef90ac6a8d5901ca0cc01e04bbf1572605cb9c7310214f19df01c5967d62707a674a819ebe0900ebf9
-
Filesize
96B
MD584209e171da10686915fe7efcd51552d
SHA16bf96e86a533a68eba4d703833de374e18ce6113
SHA25604d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b
SHA51248d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd
-
Filesize
600B
MD5c6893113ea26c917461e80d17d7804ec
SHA1b7aef5690d8bc45af212e70bddfd604160cf486c
SHA2561d9ed71befd416a827d144f899f846af7c51c4b17cde92c0e98b6095fbde5439
SHA512a208cb3de2186e99dd954b5d6415b6bc7eb3dffed4ff3688312d785fd3a61753243d9c54537a9c48853087f494aeb7d984fe855097e598960de18e6bcd0489ae
-
Filesize
1KB
MD551c1655c4996ebad4d170f1c00a7339e
SHA17aa3dc8fff9b41ead6398979191eb608bdd637cf
SHA2560aaa670a5ed1f7cee3237472af43e3d30a49bd663f1df09b29a9acb62f89b7b6
SHA512a938cbe069855d778cfbe316b18336da70a3f474d953a56caad31c585f279f05d1e02c47afc20b9ea1689ee8dfefe9afc58d4c57619099dddefe48725a37f6d3
-
Filesize
1KB
MD5e4965163de90b0f912eb41497430cf0b
SHA11232bba8312c698b9e77585213d58064567451da
SHA256927f91ee5f9c200da964b686b5c020caf4c7ec380342ae4728fe6efa09032e6b
SHA512f00851549e23364420a215df9b340f0893a9856cd1ac8712c5bd52477b7e1e0e19f5cdb00a38e77f98acbfe1a87526375d355189bfccde7b3fad4a9ea10c1cb1
-
Filesize
176KB
MD5c4a634088e095eab98183984bb7252d8
SHA1c205f2c1f8040c9205c6c06accd75c0396c59781
SHA256db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a
SHA512b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e
-
Filesize
176KB
MD5ea16870bdf94f89cfddd2ec17ffcd338
SHA1577142c9f0012f0ea2a9e2b93d7ebea4d3a60f20
SHA2568bfcf0164375ab80e6689297ad42ec591b6b1557a89a512d7399520d0239ca8f
SHA51269f7ebf81136985573a0338ae1de309995d0eb9dd3637176038c2e16c25e5e8fbed42ca35bd813b54157f54bc12db7ea92db7575ad1220aeb14147c86f01a2da
-
Filesize
424KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
112KB
-
Filesize
1024KB
-
Filesize
112KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1024KB
-
Filesize
424KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1024KB
-
Filesize
424KB
-
Filesize
1024KB
-
Filesize
424KB
-
Filesize
4KB