Overview

overview

10

Static

static

3

49b0f8750e...18.exe

windows7-x64

10

49b0f8750e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe

  • Size

    286KB

  • MD5

    49b0f8750e7c27363134c901e74293c5

  • SHA1

    326fd357f24fe982d6a744f0414385559891540b

  • SHA256

    00bdc3fc997519768f4e5ace965b337e494806c0cd03cd09eb73ad81501737c5

  • SHA512

    db297f05a03a3ac476c0032e8b61bfc487a1239d758b016128a40f4fe22d9553a7780146b7602e32e6e9d4f3d4d79868127d616e20b043afdadbde6e804619d2

  • SSDEEP

    6144:mnCCrLUwNcvmPSnBIvivyTz7JA1LQGtqro8THwCvLQOWV42WwqnW2aaOKj:QSXBIqvyTzYt+oG/ZS42NqnILKj

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\FB6F6\69058.exe%C:\Users\Admin\AppData\Roaming\FB6F6
      2⤵
        PID:2516
      • C:\Users\Admin\AppData\Local\Temp\49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\49b0f8750e7c27363134c901e74293c5_JaffaCakes118.exe startC:\Program Files (x86)\F67FE\lvvm.exe%C:\Program Files (x86)\F67FE
        2⤵
          PID:2928
        • C:\Program Files (x86)\LP\589F\DEBB.tmp
          "C:\Program Files (x86)\LP\589F\DEBB.tmp"
          2⤵
          • Executes dropped EXE
          PID:932
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3024
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x1c0
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\FB6F6\67FE.B6F
        Filesize

        996B

        MD5

        e01642350226050056b909fc8e886f56

        SHA1

        035b3fcefcbecaae018eeabc9e8c8b36ed9d2276

        SHA256

        a11e658dbb7115a125997f2f6244bcb649df1b92bc8484ede21c791f8e853e16

        SHA512

        1f66ff76fb9c92a28d375d1aade5bae0df7337e4f9da897dc6d2b3ed4d5e2937b8a5942b1b0e54b7102d30f19ebd012620be8656dd000f525f93691fc2b3ea22

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FB6F6\67FE.B6F
        Filesize

        1KB

        MD5

        d88a590a6ebe02a5822eaf4603c0d87d

        SHA1

        d4453fd37b301219039b5443e1c414826b62e74e

        SHA256

        b49280757a67fbb769356ebd68d5239cbaa0a70ba22e5234509f9d905088d532

        SHA512

        698c433e81af3c1940ae8594867771b0021b7eb6b402f5d889f62dec40408abadc488466f9053fb2ee236250cfacb890f7489a2b500e6387a58adcd8c21815cc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FB6F6\67FE.B6F
        Filesize

        1KB

        MD5

        b09dd49f787824c0c1a89eeb56496be9

        SHA1

        68514f47adf9517a15ae5b3f452fdca47a9e2ea5

        SHA256

        d3930ac43b0db73e0336fb57e7426aeba344532865e3267229f04efdd03d76c1

        SHA512

        08f6527eb8b5d2a5a66147d16dbd223fcacb30d1b2f517fa834e68150c69fa8c144148168f406231ad0cf205d0088967070f1f27af7e3c980a7f7cced2d5ca75

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FB6F6\67FE.B6F
        Filesize

        600B

        MD5

        00f4af246729dfa12b22e4a887bf7ef8

        SHA1

        0726ea501e84897711d89554806e2f709fac08bc

        SHA256

        ac201fdd27235d19e2fb08425ea94bcdf76c399a8cc18d7779fcc4c567aab989

        SHA512

        2581b86c9a45a18a84a9e9fd5b1148a2d132ade84e631c9c2b24075bf6cf366b81e1196730f950a343429dd3b01ae89e20c91a94bf30bc01fb8ee73822492d3c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FB6F6\67FE.B6F
        Filesize

        300B

        MD5

        e79bec0b7e38579202b2ce1cc3b7e1ad

        SHA1

        456147eb6cef2a251dbdd39a4f8728d615e8ca07

        SHA256

        d8eed28bf2a33c49a5e9c8ca9a99fa7ae28eb9fe6065e26891fc253bf189c209

        SHA512

        98296f3d37a68bce0a114e7fd7d4142f73ff69ef5f31934c9ec467c05c69942c5ece22743433889fdb96416024bfb5c29a10f3ea2d599cc2260a6fb8c9c6c179

        Download Submit

      • \Program Files (x86)\LP\589F\DEBB.tmp
        Filesize

        102KB

        MD5

        9636b8b316a3bc776f9a98ea09da5caf

        SHA1

        050f0bc24149a2e208fdec8e0d7bdb08133ff958

        SHA256

        2de935d69a83a276edbd20ee616e8ece2a2ec3aa75daebd91de5891a099e3a4f

        SHA512

        472bc6565f724a356938412a0dac7c443c2e45b71101831542b6723f6bcee9d3d54afc40adec603db829d736c828d60c08b0a3a78e1f691bdbff8445c424e8a0

        Download Submit

      • memory/932-348-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/932-347-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/2516-76-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2516-75-0x00000000005B5000-0x00000000005FB000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2516-74-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2564-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2564-242-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2564-2-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2564-3-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2564-346-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2564-185-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2564-77-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2564-352-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2928-241-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download