Overview

overview

10

Static

static

3

745953afb8...18.exe

windows7-x64

10

745953afb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    745953afb831abb7adc6507e0230345b_JaffaCakes118.exe

  • Size

    277KB

  • MD5

    745953afb831abb7adc6507e0230345b

  • SHA1

    e134cfb44ad6541e853d9adb0e66aae79ec2b59d

  • SHA256

    6e0a9ce17c9c850712a70bc449a6b89e154abfe831bd535c8ee74d0d6ea1b23d

  • SHA512

    bdf5e194355d169c72a3b5807d665e66bd58f638459aff21eab47807a78039a03e4cd99750c920da85937edffabd76162f3d25d97bd4f820efe69cf9237077f5

  • SSDEEP

    6144:n9crGFFL4EyYlHuoy0zEyEm2h4qgofCD+mPV0:96GZHuoZ0OqgofCam

Score
10/10
ponycredential_accessdiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\D3A9\4D6.exe%C:\Program Files (x86)\Internet Explorer\D3A9
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1848
    • C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe startC:\Program Files (x86)\AE872\lvvm.exe%C:\Program Files (x86)\AE872
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2972
    • C:\Program Files (x86)\Internet Explorer\D3A9\5744.tmp
      "C:\Program Files (x86)\Internet Explorer\D3A9\5744.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\96BAE\E872.6BA
    Filesize

    1KB

    MD5

    a0f86568aeb9328610a1c8b573de9100

    SHA1

    f4fdb65762c7d5b0a3411f1f0e6288f312149cfb

    SHA256

    35cb950273f26013fd62dc16fe9eda9522197a8108a0117420e238ec98aa01dd

    SHA512

    59bc3f02ea2801e5734d369649b23a139883352cdce9ae527c7d1fce929aaf57134bd70f8177c247a9695e48ea2e2fd57db88726c5915121bc2b64d5e401ca71

    Download Submit

  • C:\Users\Admin\AppData\Roaming\96BAE\E872.6BA
    Filesize

    600B

    MD5

    d19945fa1ae5f85ac75e04a7a5fe6845

    SHA1

    03e3ae0d94a1823575ab25cbb944ade8269d8829

    SHA256

    5cf007e4255a8ab171af8e4333113ee89f4609a0a305df07ddbd35772b5010c6

    SHA512

    5c28079d5c87fce00c3a12c8ce699eac9f81201f3912a0f0506b9305a78ca93d8935a2d7a5ddfd576ba729b8cf73170cb197f595d01c091b3852c969c7e57948

    Download Submit

  • C:\Users\Admin\AppData\Roaming\96BAE\E872.6BA
    Filesize

    996B

    MD5

    38a1339fece9079c7284e7875b370d18

    SHA1

    153d2caf53e636be7e9fb60093c5fea2bd967d3e

    SHA256

    a6ecdd003eb241ffd06922879aa5581721a46f6c2ed145ddc4f22e5011e61c10

    SHA512

    45834276665adfb1a6057b1cc3d80575c8c5c748305dd10d37a25a9b94a7e5b187958e3cf101266153c7867c26193804194133e7d3c9538c72999b54c1a36a0e

    Download Submit

  • \Program Files (x86)\Internet Explorer\D3A9\5744.tmp
    Filesize

    103KB

    MD5

    90f14957af4798c13dcdd9f26c0873f6

    SHA1

    04fbe889eed77913e58c409582840e8bee606df0

    SHA256

    15ffe721016d1490299956f82a93ec872e7d41526177401a9267f29f331c4647

    SHA512

    8708283efb9e3349a7a13d72d58c1aa3041b8a03928fb94b66db4290d229c1fa637ecc301a0519aac2729257a5c993d34249973e2f7443f04a7202cddb586284

    Download Submit

  • memory/1848-76-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1848-12-0x00000000006B6000-0x00000000006DB000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1848-13-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1848-11-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2480-74-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2480-1-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2480-154-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2480-66-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2480-192-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2480-193-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/2856-155-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2856-156-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2972-73-0x0000000000656000-0x000000000067B000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2972-72-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download