Overview

overview

10

Static

static

3

298b597c39...18.exe

windows7-x64

10

298b597c39...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    298b597c3932c359404271c487877702_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    298b597c3932c359404271c487877702

  • SHA1

    7f8c3b822da57221e5c5981ab61c58c9250a2300

  • SHA256

    f6d29939dca14eb216872638a40488631a9b1b7c8ab9a6a399398ca95a3dc05b

  • SHA512

    25d2a0bed16ea1943dbfdd67de24b9c149e6348237b6290bf13299fa294f273d73d8c2014fb3d8f597eba46ab8e919c62a038c6ebc5cd8ba533f619d7b7c08d4

  • SSDEEP

    6144:xQGzScV//RGT71E0RVwzpjG1rHJFAon7uzgq94:CGScdRGv1E0Hwz1EAO7Zw

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\298b597c3932c359404271c487877702_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\298b597c3932c359404271c487877702_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\298b597c3932c359404271c487877702_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\298b597c3932c359404271c487877702_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\5609A\95744.exe%C:\Users\Admin\AppData\Roaming\5609A
      2⤵
        PID:2316
      • C:\Users\Admin\AppData\Local\Temp\298b597c3932c359404271c487877702_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\298b597c3932c359404271c487877702_JaffaCakes118.exe startC:\Program Files (x86)\9A592\lvvm.exe%C:\Program Files (x86)\9A592
        2⤵
          PID:1672
        • C:\Program Files (x86)\LP\4425\CAAF.tmp
          "C:\Program Files (x86)\LP\4425\CAAF.tmp"
          2⤵
          • Executes dropped EXE
          PID:1680
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\5609A\A592.609
        Filesize

        996B

        MD5

        e373d285ad7ea420f4f9525813393209

        SHA1

        8c1f5c66c6dd5276115e6b17bae895781e238236

        SHA256

        c4f373298054d818e51d45b2fb8720af3416a9a6331c7714c49684fd1d292e51

        SHA512

        6048cfe77ede146ab74e7e5922616eb4628d2cb640729ad3903f86b3f12e9cd29d0bfe07fdc7722e6258ce68de9a2d9836104b6da9d911df2be43f95dff42bae

        Download Submit

      • C:\Users\Admin\AppData\Roaming\5609A\A592.609
        Filesize

        600B

        MD5

        3368795cc5a26dccae6aca370d0415d7

        SHA1

        804fb9fd0476ba5ed0161baba1406f031a2d5f31

        SHA256

        2a52c6f9d093709baeb69754fa73cea17a4366efcf4e57ea52bf9f6dcf0eedbd

        SHA512

        b6739a50c07031e1d6c27e88c402c02c080ebc88c54ee469f558bb24e19bf3b89ac89b24157a3818b48a94a2b5c21299c78b2c244e5df39aec73ce3166b880a0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\5609A\A592.609
        Filesize

        1KB

        MD5

        a183bd0bf49513e5a18c10d3e18d2117

        SHA1

        f584c64fe696df59f784873e10f37c27d7704b64

        SHA256

        f83eeab735c60825bfa2ed61a9d05e1e1e83541966dbd7abfce401487396174c

        SHA512

        a704aa611efe05d3963e0f1d6cea36f223847960031c62f1693c87b8cb36e65dc853ace3ad2fda518e12393c0b890c1e4fdb3f1d6ab65e75aae27bdd8f321f15

        Download Submit

      • \Program Files (x86)\LP\4425\CAAF.tmp
        Filesize

        97KB

        MD5

        494a3113d8759a37d39e4cc5a4b3dc2d

        SHA1

        16e693a0055dbc4c799220b522895c22730cdae0

        SHA256

        b3c6ca55cf933b8724e4923a664f5e13cd2dac07f90e9179f41ca2bcda727015

        SHA512

        b9a9a342abd3ae50095d7a405be6058fcdf140fe6893cb3a50caa20df9af4368a9ef5ea47ff1191760395e66381295922d530be7166e575c290057885e0de69b

        Download Submit

      • memory/1672-133-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1672-132-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1672-135-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1680-324-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2316-16-0x0000000000639000-0x000000000065C000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2316-15-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2316-14-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2976-130-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2976-17-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2976-0-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2976-182-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2976-3-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2976-323-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2976-2-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2976-327-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download