Malware Analysis Report

2025-06-16 05:03

Sample ID 240426-t6vqmsge81
Target 01340048af59a7ac31b10934920698b2_JaffaCakes118
SHA256 5890aec86a1f5e8ebd5e54fb2d1137c9a42f49eaa2893fc8f3ac45030e2366f0
Tags
pony
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5890aec86a1f5e8ebd5e54fb2d1137c9a42f49eaa2893fc8f3ac45030e2366f0

Threat Level: Known bad

The file 01340048af59a7ac31b10934920698b2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony

Pony family

Drops startup file

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 16:40

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 16:40

Reported

2024-04-26 16:43

Platform

win10v2004-20240419-en

Max time kernel

67s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

memory/652-0-0x0000000000890000-0x0000000000891000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/652-41-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/652-43-0x0000000000890000-0x0000000000891000-memory.dmp

memory/784-44-0x0000000000400000-0x000000000043E000-memory.dmp

memory/784-46-0x0000000000400000-0x000000000043E000-memory.dmp

memory/652-47-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/784-51-0x0000000000440000-0x0000000000509000-memory.dmp

memory/784-53-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 16:40

Reported

2024-04-26 16:43

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2844 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2844 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2844 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01340048af59a7ac31b10934920698b2_JaffaCakes118.exe"

Network

N/A

Files

memory/2844-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2844-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2844-19-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2640-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2640-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2640-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2640-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2844-28-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2640-33-0x0000000000400000-0x000000000043E000-memory.dmp