General

  • Target

    17b49ff20c5fc7d912c92e558f786a38_JaffaCakes118

  • Size

    276KB

  • Sample

    240627-12grjswerk

  • MD5

    17b49ff20c5fc7d912c92e558f786a38

  • SHA1

    b5d41ea453a7b8c8e72b2b8d6001c9d07a87c573

  • SHA256

    938b88273e6139b212c1c3c155696940cbd2d9191f74b76dfa75da37e5733715

  • SHA512

    82ce52d6dab9043a79dbfccad480fa4555977ed40cff7a077d7cc08e97c14573fd427132a87d8ff96c97a642791242f6662fe569fb96b04776b7f398051b620f

  • SSDEEP

    6144:TTq07X6nks9FvCsFW1sez9W/BApQHcc8FmqFzes9g3o:TO2tsFWSFA/jmK

Malware Config

Targets

    • Target

      17b49ff20c5fc7d912c92e558f786a38_JaffaCakes118

    • Size

      276KB

    • MD5

      17b49ff20c5fc7d912c92e558f786a38

    • SHA1

      b5d41ea453a7b8c8e72b2b8d6001c9d07a87c573

    • SHA256

      938b88273e6139b212c1c3c155696940cbd2d9191f74b76dfa75da37e5733715

    • SHA512

      82ce52d6dab9043a79dbfccad480fa4555977ed40cff7a077d7cc08e97c14573fd427132a87d8ff96c97a642791242f6662fe569fb96b04776b7f398051b620f

    • SSDEEP

      6144:TTq07X6nks9FvCsFW1sez9W/BApQHcc8FmqFzes9g3o:TO2tsFWSFA/jmK

    • Modifies WinLogon for persistence

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks