pony | 563410ebee67ab9c295168c8d26eff9ea363250c2e8a44066acbe85d14e2ad52

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 08:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
Size

286KB
MD5

5b30734c86e13b3ecf4c464f8c1f1a66
SHA1

d6023ba18d36ab1f3a79e722966cb03a7e02ddff
SHA256

563410ebee67ab9c295168c8d26eff9ea363250c2e8a44066acbe85d14e2ad52
SHA512

e6ec5ffe5e79b63742558a86510d92c5ccc50525c9a6745096e61c0bcd52532ca9d39867c9c83d0ea56765cb5d71cb0def2e5f8da6bee6036186868f6cd250a4
SSDEEP

6144:OVq+UoZyYg4M4crK5XKOKzOVGPwyOV8N0cSCbdJ2rjm:OV2ajbx6pPwPuN0cbb/oi

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1580	3A04.tmp

Loads dropped DLL 2 IoCs

pid	Process
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2320-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2320-11-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1900-13-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1900-14-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2320-122-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2948-124-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2948-125-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2320-126-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2320-301-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2320-305-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2320-306-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E53.exe = "C:\\Program Files (x86)\\LP\\8891\\E53.exe"	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\8891\E53.exe	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\8891\E53.exe	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\8891\3A04.tmp	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1180	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	2512	msiexec.exe
Token: SeTakeOwnershipPrivilege	2512	msiexec.exe
Token: SeSecurityPrivilege	2512	msiexec.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe
Token: SeShutdownPrivilege	1180	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1900	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	32
PID 2320 wrote to memory of 1900	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	32
PID 2320 wrote to memory of 1900	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	32
PID 2320 wrote to memory of 1900	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2948	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	34
PID 2320 wrote to memory of 2948	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	34
PID 2320 wrote to memory of 2948	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	34
PID 2320 wrote to memory of 2948	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	34
PID 2320 wrote to memory of 1580	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	37
PID 2320 wrote to memory of 1580	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	37
PID 2320 wrote to memory of 1580	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	37
PID 2320 wrote to memory of 1580	2320	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe	37

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe"
1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320
- C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\1FFA9\C7688.exe%C:\Users\Admin\AppData\Roaming\1FFA9
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe startC:\Program Files (x86)\A9F06\lvvm.exe%C:\Program Files (x86)\A9F06
  2⤵
  PID:2948
- C:\Program Files (x86)\LP\8891\3A04.tmp
  "C:\Program Files (x86)\LP\8891\3A04.tmp"
  2⤵
  - Executes dropped EXE
  PID:1580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1180

Network

DNS

csc3-2004-crl.verisign.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

csc3-2004-crl.verisign.com

IN A

Response
DNS

cx7m.hoststorageforyou.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

cx7m.hoststorageforyou.com

IN A

Response
DNS

cx7m.hoststorageforyou.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

cx7m.hoststorageforyou.com

IN A
DNS

patentgenius.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

patentgenius.com

IN A

Response
DNS

patentgenius.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

patentgenius.com

IN A
DNS

5ptgqew2ey.wwwmediahosts.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

5ptgqew2ey.wwwmediahosts.com

IN A

Response
DNS

-z92.wwwmediahosts.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

-z92.wwwmediahosts.com

IN A

Response
DNS

6yqi.hoststorageforyou.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

6yqi.hoststorageforyou.com

IN A

Response
DNS

TRANSERSDATAFORME.COM

3A04.tmp

Remote address:

8.8.8.8:53

Request

TRANSERSDATAFORME.COM

IN A

Response
DNS

www.google.com

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

http://www.google.com/

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*

Response

HTTP/1.0 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPTK6LQGIjD3tjWfiEI30vBI7QtNuhnPtBWySsujdS1nyf_zXAEXg8l5DsLLuo6AxkKMrS4TgtwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwI9MrotAYQlqWWwgISBMJuDUY
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RHzFvUWKRtyEaXtlP3Mhmw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 19 Jul 2024 08:36:04 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7coY2eW3_iGR0XwSyMX5A2AdCtEzDcd-BnRiCjUjbJtebtNB7j9v_E8; expires=Wed, 15-Jan-2025 08:36:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
GET

http://www.google.com/

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 302 Found

Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgsI-MrotAYQhIqkexIEwm4NRg
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-zODqvbZ9D8cNRYU4vAWHCw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Fri, 19 Jul 2024 08:36:08 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7crMfqzmKuUrtb4fKYLlVPquFS7jg86f1N0aAfuEYCvIhtdnnPOG0g; expires=Wed, 15-Jan-2025 08:36:08 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
GET

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

Remote address:

142.250.180.4:80

Request

GET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com

Response

HTTP/1.1 429 Too Many Requests

Date: Fri, 19 Jul 2024 08:36:08 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3052
X-XSS-Protection: 0
Connection: close

127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
127.0.0.1:49697
142.250.180.4:80

http://www.google.com/

http

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

446 B
1.5kB
8
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
142.250.180.4:80

http://www.google.com/

http

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

359 B
1.5kB
6
5

HTTP Request

GET http://www.google.com/

HTTP Response

302
127.0.0.1:49697

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe
142.250.180.4:80

http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

http

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

960 B
3.7kB
10
9

HTTP Request

GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGPfK6LQGIjDHuq3eSAjElvC9MaESFq0Yhwi7GaPgL3xnlnSp_pwh6iAsq1eLMrA9GHioBcAAoGoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
127.0.0.1:49697

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

8.8.8.8:53

csc3-2004-crl.verisign.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

72 B
127 B
1
1

DNS Request

csc3-2004-crl.verisign.com
8.8.8.8:53

cx7m.hoststorageforyou.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

144 B
145 B
2
1

DNS Request

cx7m.hoststorageforyou.com

DNS Request

cx7m.hoststorageforyou.com
8.8.8.8:53

patentgenius.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

124 B
135 B
2
1

DNS Request

patentgenius.com

DNS Request

patentgenius.com
8.8.8.8:53

5ptgqew2ey.wwwmediahosts.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

74 B
147 B
1
1

DNS Request

5ptgqew2ey.wwwmediahosts.com
8.8.8.8:53

-z92.wwwmediahosts.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

68 B
141 B
1
1

DNS Request

-z92.wwwmediahosts.com
8.8.8.8:53

6yqi.hoststorageforyou.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

72 B
145 B
1
1

DNS Request

6yqi.hoststorageforyou.com
8.8.8.8:53

TRANSERSDATAFORME.COM

dns

3A04.tmp

67 B
140 B
1
1

DNS Request

TRANSERSDATAFORME.COM
8.8.8.8:53

www.google.com

dns

5b30734c86e13b3ecf4c464f8c1f1a66_JaffaCakes118.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

Filesize
996B

MD5
0836ef6f36e76603d17e41c1f60d6ff2

SHA1
61624bc59d1ace41d8ee1bf12c7569cb43b6b384

SHA256
f234ba7a5d13b4f3b26ab3c6d8b327550f788ae17adfe79c1cd82259fc42098b

SHA512
5d861a4484acd3464c8e4ebd8131f494f6078374bf106dc02d77cc0be400bbc1638e7840cef56baff9a7c151461dc2abae9e9d85b7c7c89ab9f79c28d0c28834

Download Submit
C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

Filesize
600B

MD5
15476410dc014f35b7dad512d4d20153

SHA1
9250d8a68aa0db60891a82a01cd66203e4cadcd4

SHA256
ecc8c23809cda18792722bee5c4c2e3333653aa9b832071f8ef997f79386b569

SHA512
d640075be5f98deb00e98b24d347a7687e6b624b02fd2e0ba90c98eb061e1e87f1ef28dd14d40a762b9935609129b0b29e9e170145382cf5b53f7428203d8db3

Download Submit
C:\Users\Admin\AppData\Roaming\1FFA9\9F06.FFA

Filesize
1KB

MD5
90d1dac0852abba04b1fa0748b98c9ba

SHA1
383991f905f257a71b9321dbfd49ff2f12d0514a

SHA256
b3fe67d7ab58cfadf2ed6baee599138116396623d5b59b0f6c0cc150703cab00

SHA512
bf38d1be2175920c5d7f8d897d0854f95031b34862e2f522d0599dfda6f1e887ee3de7a9d67459a338cd498cd91b3e0a89c6288f446014b6976413d00a57c8c9

Download Submit
\Program Files (x86)\LP\8891\3A04.tmp

Filesize
101KB

MD5
c932041a7e800a1a80890dbe7d984243

SHA1
275e521889eaca58e193a5e7a6675fd08a6b6418

SHA256
2890d67e3a1b817a45e95fb5d7238c2761fad5a0c9fec3280e1be2c1a00d5c02

SHA512
b111ade33c5982232722d81f9c1329c3d875aa1be7a8870371cff9eba51390c05d70b9ce680241932463459fb550ded667a702e754a762f88d88e73b850275ef

Download Submit
memory/1580-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1900-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-122-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-126-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2320-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2320-11-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-301-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-305-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-306-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2948-124-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2948-125-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.