Analysis
-
max time kernel
67s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe
-
Size
386KB
-
MD5
013f51adbdfc57805523576f0864be2d
-
SHA1
2b1a2b04e027c5b238fe8aef247da0873ea7cc3e
-
SHA256
e57c9320ec6ae7d2fcb1bdc7d59033411b50fc5d4d28c88137d19fc1edaa279b
-
SHA512
579970a03258981a9ae879cd351ed8db06d4469dc726a82216886eb883087f7293afbeb2e54d3b2d7e185420517f55fd48740098a8e38291a6adc1f38cd1cbd0
-
SSDEEP
6144:TjbeifBxa5tFRRpYUcds1xuLhcmhqFecw51q99swY1JGfYIcg/9QmKX7:TuEAPFxZce1xuccq9w51q/sB1JfloOzr
Malware Config
Extracted
pony
http://gregorian.club/ifamandiebyaccident/gate.php
-
payload_url
http://myp0nysite.ru/shit.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation z.cmd -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1544 z.cmd 720 z.cmd -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts z.cmd -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook z.cmd -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 720 1544 z.cmd 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1544 z.cmd 1544 z.cmd 1544 z.cmd 1544 z.cmd -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeImpersonatePrivilege 720 z.cmd Token: SeTcbPrivilege 720 z.cmd Token: SeChangeNotifyPrivilege 720 z.cmd Token: SeCreateTokenPrivilege 720 z.cmd Token: SeBackupPrivilege 720 z.cmd Token: SeRestorePrivilege 720 z.cmd Token: SeIncreaseQuotaPrivilege 720 z.cmd Token: SeAssignPrimaryTokenPrivilege 720 z.cmd Token: SeImpersonatePrivilege 720 z.cmd Token: SeTcbPrivilege 720 z.cmd Token: SeChangeNotifyPrivilege 720 z.cmd Token: SeCreateTokenPrivilege 720 z.cmd Token: SeBackupPrivilege 720 z.cmd Token: SeRestorePrivilege 720 z.cmd Token: SeIncreaseQuotaPrivilege 720 z.cmd Token: SeAssignPrimaryTokenPrivilege 720 z.cmd Token: SeImpersonatePrivilege 720 z.cmd Token: SeTcbPrivilege 720 z.cmd Token: SeChangeNotifyPrivilege 720 z.cmd Token: SeCreateTokenPrivilege 720 z.cmd Token: SeBackupPrivilege 720 z.cmd Token: SeRestorePrivilege 720 z.cmd Token: SeIncreaseQuotaPrivilege 720 z.cmd Token: SeAssignPrimaryTokenPrivilege 720 z.cmd Token: SeImpersonatePrivilege 720 z.cmd Token: SeTcbPrivilege 720 z.cmd Token: SeChangeNotifyPrivilege 720 z.cmd Token: SeCreateTokenPrivilege 720 z.cmd Token: SeBackupPrivilege 720 z.cmd Token: SeRestorePrivilege 720 z.cmd Token: SeIncreaseQuotaPrivilege 720 z.cmd Token: SeAssignPrimaryTokenPrivilege 720 z.cmd Token: SeImpersonatePrivilege 720 z.cmd Token: SeTcbPrivilege 720 z.cmd Token: SeChangeNotifyPrivilege 720 z.cmd Token: SeCreateTokenPrivilege 720 z.cmd Token: SeBackupPrivilege 720 z.cmd Token: SeRestorePrivilege 720 z.cmd Token: SeIncreaseQuotaPrivilege 720 z.cmd Token: SeAssignPrimaryTokenPrivilege 720 z.cmd Token: SeImpersonatePrivilege 720 z.cmd Token: SeTcbPrivilege 720 z.cmd Token: SeChangeNotifyPrivilege 720 z.cmd Token: SeCreateTokenPrivilege 720 z.cmd Token: SeBackupPrivilege 720 z.cmd Token: SeRestorePrivilege 720 z.cmd Token: SeIncreaseQuotaPrivilege 720 z.cmd Token: SeAssignPrimaryTokenPrivilege 720 z.cmd -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1544 z.cmd 1544 z.cmd -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4140 wrote to memory of 1544 4140 013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe 83 PID 4140 wrote to memory of 1544 4140 013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe 83 PID 4140 wrote to memory of 1544 4140 013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe 83 PID 1544 wrote to memory of 3120 1544 z.cmd 87 PID 1544 wrote to memory of 3120 1544 z.cmd 87 PID 1544 wrote to memory of 3120 1544 z.cmd 87 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 1544 wrote to memory of 720 1544 z.cmd 89 PID 720 wrote to memory of 848 720 z.cmd 90 PID 720 wrote to memory of 848 720 z.cmd 90 PID 720 wrote to memory of 848 720 z.cmd 90 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook z.cmd
Processes
-
C:\Users\Admin\AppData\Local\Temp\013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\013f51adbdfc57805523576f0864be2d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"3⤵
- Drops startup file
PID:3120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240619203.bat" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd" "4⤵PID:848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
134KB
MD56647faa08e188db28e4e53390ffc6d2b
SHA1d59f3f143dd58c02eb1b058ecdd6d4658fc34629
SHA256cf43adb1a0dbda08bebf3ab308a27a37367dd80c560b60ff06bf9d4352edb5f5
SHA5128e19290df23bd148bc55363903f725ecf2e048c0323e4b9419d661aab6add59b3cf6aff3f8d4ed1bc88cb1d396929b39cfb761925ef3f6fa3876a0174171c0e4
-
Filesize
556KB
MD583bc4854b7eafa9c4b600bfa1dabde33
SHA1da2cb1f8e307b42b576d868230f4bef64cb6e7af
SHA256f6c682000e1bdbde52416d3d6e716cca330d531c5374e32c426a13aebfb3252b
SHA51271407994762ca973d7d56b832b1972858f4b7680e78c3f6b745c68455b402b379042b5667b0e8758b5aa4a464572f47293c6fc425ed9ee7f5d80cb0adac7e005