Overview

overview

10

Static

static

3

06d44c8c2a...18.exe

windows7-x64

10

06d44c8c2a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe

  • Size

    282KB

  • MD5

    06d44c8c2a4799c31aeeeb0f66cee6e2

  • SHA1

    f1560b67a8e0e30d40fd9f598281799a516e58ea

  • SHA256

    2cf0f06225998fb06a2dd991277574d83a3e1566181edd8bcf56840146d2316b

  • SHA512

    890d743a98711cf5a55ab6a58e555f06321887a0daaf10444eebd5b93b0c770377c4634fbca78fe9efac711b9e1f03ff4da33415fc5f7c12334ff65de7e628ac

  • SSDEEP

    6144:Z0mTmnVaKf0pALLPd6H0Ldit1SVadGvowQ/pJUJlowL:+Vc4uALLjW1gowujQlowL

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3DCA1\87562.exe%C:\Users\Admin\AppData\Roaming\3DCA1
      2⤵
        PID:792
      • C:\Users\Admin\AppData\Local\Temp\06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\06d44c8c2a4799c31aeeeb0f66cee6e2_JaffaCakes118.exe startC:\Program Files (x86)\A1F17\lvvm.exe%C:\Program Files (x86)\A1F17
        2⤵
          PID:1828
        • C:\Program Files (x86)\LP\62C3\8B2F.tmp
          "C:\Program Files (x86)\LP\62C3\8B2F.tmp"
          2⤵
          • Executes dropped EXE
          PID:1520
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\3DCA1\1F17.DCA
        Filesize

        996B

        MD5

        a43c143891ed575c49ce39d38fcbdfdb

        SHA1

        0dd491f034b84fe59f99be729c437155398df2e4

        SHA256

        1d90764f056d62a509836dda361d8cf95e243217db8531babaef638c558356e1

        SHA512

        97988bd6ff67aa03958b1e6256472d08f355e7dbc85626a1399fd25332fe61c5c97619065e2be805e881a9fe91f34616c5c2f70e6c06d1bb599bc84e730268c6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3DCA1\1F17.DCA
        Filesize

        600B

        MD5

        015e9c70b544ee50730a8a8aa93c2828

        SHA1

        084067a8257f075b6f7f62226bf8a6c4cb55ae61

        SHA256

        c114ea65f0ab9112bcaf7843880ba4913eb5d79fae1d3c2ebf0023a386e87768

        SHA512

        45d060e79b9bca1a5e97cbfb981f30c7f21fb63bdfc2c3ebfc274b83f31453166fa62acc2e0066c529dcc4ec9e5607c6c5b09ceec283e72f765409b485547810

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3DCA1\1F17.DCA
        Filesize

        300B

        MD5

        52de655f78c00a4b303724d29a78c884

        SHA1

        aefb93566bdc0ce74333946a189aed0f73c2beba

        SHA256

        5ce5322bbfbeacc7c845d77e41532be7b1e656ca94c48cbc24318f139167b10f

        SHA512

        38156e6c75e9e61cce8d275f79a6effba602c2a074e39ec72e46cc1b2e0f9186e94739725e8483d96a29013d79a009926e90f5af263bca339654c89d6c0b4a76

        Download Submit

      • \Program Files (x86)\LP\62C3\8B2F.tmp
        Filesize

        100KB

        MD5

        340f18faddf54d738f6e56fe3d8b1d54

        SHA1

        bb247a2f8db305906d558c0c665cc7fd7f86ff67

        SHA256

        4613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572

        SHA512

        e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74

        Download Submit

      • memory/792-51-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/792-53-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1520-337-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1828-148-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/1828-147-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-2-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-145-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-149-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2340-49-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2340-336-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2340-340-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download