Overview

overview

10

Static

static

3

73acea44fb...18.exe

windows7-x64

10

73acea44fb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    73acea44fbbe0c1fc2e5590e377df9c6

  • SHA1

    43bd62fe3189f5694156ca93fcf8bb10f0148f54

  • SHA256

    bcf21b35c9471c18119fe024c10025e24f7ae762dec72d9fe752975f19e957fd

  • SHA512

    b8b58b4d9f8033ce63ef45d0e94e0849e41c7852a0ae2c2131b1a37370dc70c63dd4db4e2e3b3c5ef21da08e5c4dd185df488bd34e42170278a8c37f237bfd2e

  • SSDEEP

    6144:NX4i4Zs/ON7CJVFJRwAGRtS2wWAgZzc0kq/pe9Ijm:NjWZE7JRotSC120cM

Score
10/10
ponycredential_accessdiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\D3A0\858.exe%C:\Program Files (x86)\Internet Explorer\D3A0
      2⤵
        PID:764
      • C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe startC:\Program Files (x86)\49423\lvvm.exe%C:\Program Files (x86)\49423
        2⤵
          PID:972
        • C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmp
          "C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4032

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmp
        Filesize

        101KB

        MD5

        4de57061b637aa8c144f3847f35f2820

        SHA1

        21372e9be2f5bc629f7cd87286026945d5ab8656

        SHA256

        3b961e666c2166929e6bab6b7e597c0057c5dc0b0d24eb05c4f838100aeb2c60

        SHA512

        0603603596018348d51400b8176e583c38e3ebf3de03b311930ff5c7b249446d74dd86aa90018f519adf43191a1f9b9192b69540243d2e880d1c8092967c2ab9

        Download Submit
      • C:\Users\Admin\AppData\Roaming\0F349\9423.F34
        Filesize

        996B

        MD5

        09680c7e048745030aae775be8416208

        SHA1

        c06eaa57a2e55a0a56648f299c7a63f7971415a7

        SHA256

        5930f2ee41348fa89b5491e0565587300df7151d76304086eb4e4698d7ee34e2

        SHA512

        307ebd5dbeea7ee2497c51737d3553588575f7d1cb76812a669c5d82702b29396ce72a5776701af7b59b2f02780ac70c0718f6e695f49b94a5d1213eb42f9840

        Download Submit
      • C:\Users\Admin\AppData\Roaming\0F349\9423.F34
        Filesize

        600B

        MD5

        d57e6649f820c3e2c0e854f658de33fb

        SHA1

        a28c23083733643b58c8f7cfed1679b82efe5e16

        SHA256

        7cea727b86f53e5be86720c0483d7d67deba7fdfd45425ef9cd4d0ef4cc7a42d

        SHA512

        d297f1382d03e140b3f2981c5bef25fefff5f3c087fa05a38b24991db0aaad27e08b34e9f051bf8cb33e333b2b6a644ead27882e2ca3790c2725dc14e34384aa

        Download Submit
      • memory/764-8-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/764-9-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/764-15-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/972-108-0x0000000000516000-0x000000000053B000-memory.dmp
        Filesize

        148KB

        Download
      • memory/972-107-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3444-51-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3444-109-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3444-1-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3444-2-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3444-181-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/3444-184-0x0000000000400000-0x00000000004A8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/4032-180-0x0000000000400000-0x000000000041C000-memory.dmp
        Filesize

        112KB

        Download