Overview

overview

10

Static

static

3

2da4b345e4...18.exe

windows7-x64

10

2da4b345e4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    2da4b345e4cea3d8fd7bc4bea459c32f

  • SHA1

    7af114973b76cda6653e59d499bac886e0fbb3c2

  • SHA256

    8c00b0ea5dbee65515247a21d73b2421a969d92881239b599de54d1f6bf47a6c

  • SHA512

    f487d594bb965b9feece00753b7733492e4b681ffa9f561451b87b4468f488a488d63353f2e6dc824beaab2fdce7fda58133def63c53772a381463da663d0ea0

  • SSDEEP

    12288:KDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:KEEZBV5jCoFvZsSWG2BdN+w2+O

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\j29oAE.exe
      C:\Users\Admin\j29oAE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\souzou.exe
        "C:\Users\Admin\souzou.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2572
    • C:\Users\Admin\2men.exe
      C:\Users\Admin\2men.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1656
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3012
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2064
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2040
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        PID:1460
    • C:\Users\Admin\3men.exe
      C:\Users\Admin\3men.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:2880
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\80360\9A72E.exe%C:\Users\Admin\AppData\Roaming\80360
        3⤵
        • Executes dropped EXE
        PID:324
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Program Files (x86)\607A9\lvvm.exe%C:\Program Files (x86)\607A9
        3⤵
        • Executes dropped EXE
        PID:2900
      • C:\Program Files (x86)\LP\2E48\8862.tmp
        "C:\Program Files (x86)\LP\2E48\8862.tmp"
        3⤵
        • Executes dropped EXE
        PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 2da4b345e4cea3d8fd7bc4bea459c32f_JaffaCakes118.exe
      2⤵
      • Deletes itself
      PID:1152
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:888
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2428
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\2men.exe
    Filesize

    132KB

    MD5

    945a713b037b50442ec5d18d3dc0d55e

    SHA1

    2c8881b327a79fafcce27479b78f05487d93c802

    SHA256

    2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

    SHA512

    0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

    Download Submit

  • C:\Users\Admin\AppData\Roaming\80360\07A9.036
    Filesize

    600B

    MD5

    de21397bbfd9aacb93486e193e2276df

    SHA1

    6a01934ff1c13a771d0eb19d9d3f9b6bd07e112b

    SHA256

    ee9fbb7fa4807a69439752815e3c7e10337cdc4a290ae47ab4d926ba724d73c6

    SHA512

    c5caa27b415789592c1c9ca756ab23d0507933e0566db636347432f52b2aa6993d0d13fc735c430f1e8c06142064faa47963519f204d7f95dd1ba48a1572c47e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\80360\07A9.036
    Filesize

    996B

    MD5

    e6ce4ed933e9442aef642a0c08955909

    SHA1

    834c3a1e4b79453bbe63efb1470b8894ca20ece2

    SHA256

    5b1242f480ab4d0126870ef0f83e5349774e03954b52642363e8863eb1877e20

    SHA512

    ea36128202cd61628b8dd830126171aa8aced74db5ff4c951300c4c6d1bec52b2808cf1d35094d2aefbb518f6200fa475e4837205883cc537f3d0d6074cf2e29

    Download Submit

  • C:\Users\Admin\AppData\Roaming\80360\07A9.036
    Filesize

    1KB

    MD5

    e687ebe530a1450f53f082b4b317dab2

    SHA1

    76b74a859262942d105030990886609a243ec929

    SHA256

    b6b6578367366a8791979e51a9bb5426b293380007a90dad9a47693ce51c6c82

    SHA512

    71435fde4aee6877a53e38b8f6b64ccfb90820efc015a0bd8ca0963f7c9182ea12fa4b6dee49df6c538a5dcfe9c71fee5efd3d1c02e0676158ac82b2e358c387

    Download Submit

  • \Program Files (x86)\LP\2E48\8862.tmp
    Filesize

    96KB

    MD5

    6b9ed8570a1857126c8bf99e0663926c

    SHA1

    94e08d8a0be09be35f37a9b17ec2130febfa2074

    SHA256

    888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

    SHA512

    23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

    Download Submit

  • \Users\Admin\3men.exe
    Filesize

    271KB

    MD5

    0d668203e24463de2bf228f00443b7bc

    SHA1

    eacff981d71f6648f6315e508bfd75e11683dba8

    SHA256

    509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

    SHA512

    3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

    Download Submit

  • \Users\Admin\j29oAE.exe
    Filesize

    176KB

    MD5

    c4a634088e095eab98183984bb7252d8

    SHA1

    c205f2c1f8040c9205c6c06accd75c0396c59781

    SHA256

    db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

    SHA512

    b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

    Download Submit

  • \Users\Admin\souzou.exe
    Filesize

    176KB

    MD5

    9d8b9789b2503e58c3923d3a1ce51576

    SHA1

    1013e3a79258e1698b553348ca93fc169a476462

    SHA256

    eb1196355fdf49505a364192e8630fbcafe53bf278b84b23b55d363c627d78b1

    SHA512

    5c27154591df21071037caed28e995cc14b9a974506a44a700783b7edcaea26cd1e0eee6bf9d0d6f0912480aa86b4e97db0ee9d9091d75a7294d8d3921bd4fc7

    Download Submit

  • memory/324-123-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1656-58-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1656-102-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1656-46-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1656-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-43-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1656-41-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1656-48-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1656-39-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2040-87-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2040-77-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2040-79-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2040-120-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2040-85-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2040-88-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2064-82-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-119-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-83-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-73-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-81-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-66-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-68-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2064-70-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2880-121-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2880-246-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2900-248-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2952-28-0x0000000003970000-0x000000000442A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/3012-65-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3012-61-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3012-60-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3012-50-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3012-52-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3012-54-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3012-57-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download