Overview

overview

10

Static

static

3

73a6a11c2d...18.exe

windows7-x64

10

73a6a11c2d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    73a6a11c2d266a38c47231cf08185cdf

  • SHA1

    788d49570ac3369daa5ece2eda1be818f0273b10

  • SHA256

    3ef340e711b406fba665954a9500b27a99f6940cc20a5ecf1404922c2f985a1b

  • SHA512

    dccc86cd3e9d83785a31990c85d68df3df5e0d9f430ab8287317a674f53e72bb46d7c7130e544490904b037c172a180a3f8b4f0a71ee34f5011b9b3ecd3f930a

  • SSDEEP

    6144:r3LzKycO8rWSfSgl5U+7KhSpuehkv8dnb9YTlCYHTR9:Xzdhg7fKYkcne119

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\4902F\6212A.exe%C:\Users\Admin\AppData\Roaming\4902F
      2⤵
        PID:2268
      • C:\Users\Admin\AppData\Local\Temp\73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\73a6a11c2d266a38c47231cf08185cdf_JaffaCakes118.exe startC:\Program Files (x86)\2F985\lvvm.exe%C:\Program Files (x86)\2F985
        2⤵
          PID:2972
        • C:\Program Files (x86)\LP\2A94\1584.tmp
          "C:\Program Files (x86)\LP\2A94\1584.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:616
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1452

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Active Setup

      1
      T1547.014

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Active Setup

      1
      T1547.014

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\4902F\F985.902
        Filesize

        1KB

        MD5

        b9439bf1f4337f471f401646f4c8b1bf

        SHA1

        1179608aa27f7fc59ed7ee3f9a4ac21d86341e5a

        SHA256

        653d14f804160ac95aba63080213d7b7029f4e2b9da0dcccdb2aeeaee08f6b60

        SHA512

        43d89623f7d0e1a934486f6cab949a640cdb6a04971ef69c63d875c86b5520efdf1820c13441e495c336a7323877a082addc9eac89d9a713524fbc9b532c73d7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\4902F\F985.902
        Filesize

        600B

        MD5

        6378e2192f2a9e4db4fdf727646490be

        SHA1

        f1bae4664192fedac60df3f8ffa4d1eeaba68f6f

        SHA256

        27a35d71afc0583ee44e2bb9c4fb646674e4b0c32ed0cb9e4cd75fa7f0ffafe8

        SHA512

        b2289d71cb6dc8dd3e1bbd07e71f17137f48791e44737042f610e05ed9840502bab652c115a2869a19f7a767b166d9ea27fade4bb3a7aa94a7af7cedec4b2e44

        Download Submit
      • \Program Files (x86)\LP\2A94\1584.tmp
        Filesize

        97KB

        MD5

        34476c6ae3f87f799aa672ae62ce8b13

        SHA1

        052eecd19bd28180c29c910c486ac27cd7ee9e93

        SHA256

        97566dea7d7b2be42810a4f390d728232a2e046c32c13e768ec8d247c8841fc5

        SHA512

        681e1d3007402a03546880697f99b48ea0fab5febb88b16466902518c806a0c66a85ec3b5e897e46cd715cd404c06257401ce39d20bdce13086db4d177739bb1

        Download Submit
      • memory/616-317-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/2268-16-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2268-19-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2268-17-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-15-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-193-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-0-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-3-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-316-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-2-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2416-321-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/2972-192-0x0000000000400000-0x000000000046A000-memory.dmp
        Filesize

        424KB

        Download