Overview

overview

10

Static

static

3

1c7a10732e...18.exe

windows7-x64

10

1c7a10732e...18.exe

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    1c7a10732ecbd4a30b02a4d12a99d5eb_JaffaCakes118

  • Size

    1.9MB

  • Sample

    240701-zswzfatann

  • MD5

    1c7a10732ecbd4a30b02a4d12a99d5eb

  • SHA1

    b7a25bea4b163b499b5b23a52d69fbe9fee87e9b

  • SHA256

    59a900db4016c7cab2b8235554fb9d703577dfacbc37e136a9b8277b12407dfd

  • SHA512

    150753aef099c16a15434731731465bc76fe95f217739428c3ea103feccc2f0e9be88c36454156c97d1c7bedb2cec32663c2addbb7c615ef1459f17b76d83fc2

  • SSDEEP

    24576:lj9ZDtTS7od7341D2+jjqBicDSdwAO3BECoRWz5smhqzxGkdNrAQDEyYECMrU1y:ljdh73WD2IcicDsZO3BjwG5h+dJfr

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      1c7a10732ecbd4a30b02a4d12a99d5eb_JaffaCakes118

    • Size

      1.9MB

    • MD5

      1c7a10732ecbd4a30b02a4d12a99d5eb

    • SHA1

      b7a25bea4b163b499b5b23a52d69fbe9fee87e9b

    • SHA256

      59a900db4016c7cab2b8235554fb9d703577dfacbc37e136a9b8277b12407dfd

    • SHA512

      150753aef099c16a15434731731465bc76fe95f217739428c3ea103feccc2f0e9be88c36454156c97d1c7bedb2cec32663c2addbb7c615ef1459f17b76d83fc2

    • SSDEEP

      24576:lj9ZDtTS7od7341D2+jjqBicDSdwAO3BECoRWz5smhqzxGkdNrAQDEyYECMrU1y:ljdh73WD2IcicDsZO3BjwG5h+dJfr

    Score
    10/10
    ponydiscoveryevasionpersistenceratspywarestealerupx

    • Modifies security service

      evasion

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks