Analysis

  • max time kernel
    83s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/04/2024, 20:30

Errors

Reason
Machine shutdown

General

  • Target

    019a4e9d2dfd1eab14adb07bb6ea33d5_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    019a4e9d2dfd1eab14adb07bb6ea33d5

  • SHA1

    05f36c386c849ad775be9b5836a8d8cd4734de7e

  • SHA256

    8279c8a068aa0bd266a182c72107078faeb71cbd1d7344d9fec39d12403cbf12

  • SHA512

    dbeaafab8db8528dbd4bfd3c2267d321bfb3811b290d3408d025c4c6f37f1d29bde7d74111fada9b20902f47c52fee0ef8885b37361abdbf2ba32560eefb08e8

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZJ:0UzeyQMS4DqodCnoe+iitjWwwl

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 30 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\019a4e9d2dfd1eab14adb07bb6ea33d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\019a4e9d2dfd1eab14adb07bb6ea33d5_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1564
      • C:\Users\Admin\AppData\Local\Temp\019a4e9d2dfd1eab14adb07bb6ea33d5_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\019a4e9d2dfd1eab14adb07bb6ea33d5_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4708
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3140
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1752
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:400
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1396
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:3752
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4400
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1856
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4704
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4972
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4956
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4132
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:5020
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1008
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1316
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4920
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:3832
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1292
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4120
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:1820
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:3052
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:2016
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4720
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4184
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:3744
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4984
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:412
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:2072
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:4288
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              PID:2616
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              PID:1028
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4860

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\Parameters.ini

              Filesize

              74B

              MD5

              6687785d6a31cdf9a5f80acb3abc459b

              SHA1

              1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

              SHA256

              3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

              SHA512

              5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

            • C:\Windows\System\explorer.exe

              Filesize

              2.2MB

              MD5

              4da99134dc810a4c3c4821ba6be9eae0

              SHA1

              855aa345480821f6bfe6200a785b08f3d5449a43

              SHA256

              4c3365c48c9031e8d2b4920f5f973f98354f16239153a0249b012edc8884ac04

              SHA512

              1288e8075810ff824c87a81f1f382f890827c6ba26ccb32dc6be038edfc6b5bcbd830520422a867c741d2f100f1644d7e117034eb3e22ef844d9b0df21b5d967

            • C:\Windows\System\spoolsv.exe

              Filesize

              2.2MB

              MD5

              3c936950a01d55c2e1bc70f37bc9dff5

              SHA1

              8148e572fc863395eaff9342239cfcdd79fece83

              SHA256

              be8bf4edfd9fe4c3ceab97ba6a3888a235f38de23ac35188eeaeb2719b431e64

              SHA512

              2ef392075c4c537e8fd94071089026cd505dcbf3452f200f1bda731a7e495d9199d00ceca1ef06f58707cfc362c7ba4a9d9132be419d72ee5eb78a5bb32d2027

            • memory/400-829-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/1008-1573-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/1292-1735-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/1316-1574-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/1396-1032-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/1752-828-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/1752-100-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/1856-1210-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/3140-95-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/3140-101-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/3752-1033-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/3832-1734-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4132-1379-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4400-1034-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4704-1211-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4708-40-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4708-87-0x0000000000440000-0x0000000000509000-memory.dmp

              Filesize

              804KB

            • memory/4708-39-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4708-89-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

            • memory/4880-0-0x0000000002450000-0x0000000002451000-memory.dmp

              Filesize

              4KB

            • memory/4880-38-0x0000000002450000-0x0000000002451000-memory.dmp

              Filesize

              4KB

            • memory/4880-36-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4880-42-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4920-1733-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4956-1378-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/4972-1222-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB

            • memory/5020-1380-0x0000000000400000-0x00000000005D3000-memory.dmp

              Filesize

              1.8MB