pony | 3b5402a65f8301b97bfc1dc276b97f695ec7cb44efc1e941ed0f4778eda26fa6

General

Target

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe
Size

1.1MB
MD5

6e75b846207c166f882226e6ffb7c000
SHA1

94ca9238a4888754df1f7e0cef0d4cab6f1eef24
SHA256

3b5402a65f8301b97bfc1dc276b97f695ec7cb44efc1e941ed0f4778eda26fa6
SHA512

166321f32b0196bc5577f13e72e3b4d4db6c5fcd95423b639711c18e4d7bb767f6e98fa905aa1cc8195e262c56bce3ac46e9e80b569ea076a29973f20aec9bbe
SSDEEP

24576:kO0N1KqkD77mkJxTjloSVpXcgs4hI/twQ/:5YE1T+ONWD

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://199.192.25.237/~catchusnot/panel/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

Processes:

Wservices.exeWservices.exeWservices.exeWservices.exeWservices.exe

pid process

912 Wservices.exe
752 Wservices.exe
380 Wservices.exe
2780 Wservices.exe
3144 Wservices.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Wservices.exe

description pid process target process

PID 2780 set thread context of 3144 2780 Wservices.exe Wservices.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2684 380 WerFault.exe Wservices.exe
3432 3144 WerFault.exe Wservices.exe

pid	process
912	Wservices.exe
752	Wservices.exe
380	Wservices.exe
2780	Wservices.exe
3144	Wservices.exe

description	pid	process	target process
PID 2780 set thread context of 3144	2780	Wservices.exe	Wservices.exe

pid	pid_target	process	target process
2684	380	WerFault.exe	Wservices.exe
3432	3144	WerFault.exe	Wservices.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

344 schtasks.exe

pid	process
344	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2788 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2788 AcroRd32.exe
2788 AcroRd32.exe
2788 AcroRd32.exe
2788 AcroRd32.exe

pid	process
2788	AcroRd32.exe

pid	process
2788	AcroRd32.exe
2788	AcroRd32.exe
2788	AcroRd32.exe
2788	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4356 wrote to memory of 2788	4356	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 4356 wrote to memory of 2788	4356	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 4356 wrote to memory of 2788	4356	6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe	AcroRd32.exe
PID 2788 wrote to memory of 4884	2788	AcroRd32.exe	RdrCEF.exe
PID 2788 wrote to memory of 4884	2788	AcroRd32.exe	RdrCEF.exe
PID 2788 wrote to memory of 4884	2788	AcroRd32.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 4804	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe
PID 4884 wrote to memory of 3168	4884	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e75b846207c166f882226e6ffb7c000_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ICOBOX PROPOSAL.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7F635773E791249E03412D909F692F99 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4804
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=772CB7B7089F54CB404B2459FCDAB60C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=772CB7B7089F54CB404B2459FCDAB60C --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3168
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=42ECE4BA7AE67D5C8E85AD56C9DCECE5 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4F1F4665F6EA0E0C9E2A749712510F02 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4F1F4665F6EA0E0C9E2A749712510F02 --renderer-client-id=5 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1440
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CA6B0CBC823E50C15831D5EB6C576614 --mojo-platform-channel-handle=2936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2444
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C2946BD2A04CC8CD44A6C87B0C1C3B2 --mojo-platform-channel-handle=2956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc minute /mo 1 /tn "'6e75b846207c166f882226e6ffb7c000_JaffaCakes118'" /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:344
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\Wservices.exe"
  2⤵
  - Executes dropped EXE
  PID:912
- - C:\Users\Admin\AppData\Roaming\Wservices.exe
    "C:\Users\Admin\AppData\Roaming\Wservices.exe"
    3⤵
    - Executes dropped EXE
    PID:380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 448
      4⤵
      Program crash
      PID:2684

C:\Users\Admin\AppData\Roaming\Wservices.exe
C:\Users\Admin\AppData\Roaming\Wservices.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 380 -ip 380
1⤵
PID:3136

C:\Users\Admin\AppData\Roaming\Wservices.exe
C:\Users\Admin\AppData\Roaming\Wservices.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2780
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\Wservices.exe"
  2⤵
  - Executes dropped EXE
  PID:3144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 448
    3⤵
    - Program crash
    PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3144 -ip 3144
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
911baeb51cff568b0ce4350eac871fa7

SHA1
c8cd13c72236b30aa9053b4e5529bbf620171650

SHA256
5abaedd201c3be29942ed7d306dbc157044d9e3d56ec3621bcf1bb1b2ed94a38

SHA512
25e3cf75b2a39e2223dc5d0eac86e199aad9c03651a3a36076ef0dc7bef6e63b2aceaeeb58e45cdac418b2d5450350a7677aa539a72c25ff7a49b37071987b8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
bf5e851e67dad299bd48003388dee241

SHA1
7f73f7906ce3fb22aba95996a6cb173eb546f46e

SHA256
e48aa393d0844357364535ac8d640f618514dd129b559576df8a9b5cde3bcaee

SHA512
cddba43b2df22bbf1523d2d736bfcfa20881444b6d26770610dbb337c2a696ea17d42b8d5fda4eab66705a813eac5a409368a2d6940c7d70aa8d1ac999f60176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wservices.exe.log

Filesize
139B

MD5
b226ddb0f6213e848e868253270d2ee4

SHA1
9d9b43c46b5a5573cd4e521293413ad9c55ef5b9

SHA256
9fcd51e732baf44df777525aca99cd16a693190659f9cab66263fd2393fb87f1

SHA512
b4f46b90bb116fffd16924b1911ab9b280c74977344788bad0db8b60818f8126efa830d282df4a97aa542d1c9ea48e445d7dd77ac33c3fda5e745787fcd74e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICOBOX PROPOSAL.pdf

Filesize
495KB

MD5
660380474df2fa5a174e3a25b680fff6

SHA1
59c78b29da6b1441e5b6a8196abf320e67113510

SHA256
79b2b935f1b6ec7474663ce9a9011954feca17b740ce921c34fe6ac4469bcb92

SHA512
43c20cd8d01a773ae935e3b1bed767ff3e8983ccffdca87b46c919eb62c0364cc81c312439a2b67fa46eaa4460a7ea54f91910b9255f8b64eacb36fead8ceec3

Download Submit
C:\Users\Admin\AppData\Roaming\Wservices.exe

Filesize
1.1MB

MD5
6e75b846207c166f882226e6ffb7c000

SHA1
94ca9238a4888754df1f7e0cef0d4cab6f1eef24

SHA256
3b5402a65f8301b97bfc1dc276b97f695ec7cb44efc1e941ed0f4778eda26fa6

SHA512
166321f32b0196bc5577f13e72e3b4d4db6c5fcd95423b639711c18e4d7bb767f6e98fa905aa1cc8195e262c56bce3ac46e9e80b569ea076a29973f20aec9bbe

Download Submit
memory/380-110-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/380-108-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2780-115-0x0000000004A20000-0x0000000004A3C000-memory.dmp

Filesize
112KB

Download
memory/3144-118-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3144-120-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3144-116-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4356-91-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4356-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4356-103-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-1-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4356-2-0x0000000004A30000-0x0000000004ACC000-memory.dmp

Filesize
624KB

Download
memory/4356-4-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-90-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-89-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads