Overview

overview

10

Static

static

3

745953afb8...18.exe

windows7-x64

10

745953afb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    745953afb831abb7adc6507e0230345b_JaffaCakes118.exe

  • Size

    277KB

  • MD5

    745953afb831abb7adc6507e0230345b

  • SHA1

    e134cfb44ad6541e853d9adb0e66aae79ec2b59d

  • SHA256

    6e0a9ce17c9c850712a70bc449a6b89e154abfe831bd535c8ee74d0d6ea1b23d

  • SHA512

    bdf5e194355d169c72a3b5807d665e66bd58f638459aff21eab47807a78039a03e4cd99750c920da85937edffabd76162f3d25d97bd4f820efe69cf9237077f5

  • SSDEEP

    6144:n9crGFFL4EyYlHuoy0zEyEm2h4qgofCD+mPV0:96GZHuoZ0OqgofCam

Score
10/10
ponycredential_accessdiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\D3A4\1A5.exe%C:\Program Files (x86)\Internet Explorer\D3A4
      2⤵
        PID:3028
      • C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\745953afb831abb7adc6507e0230345b_JaffaCakes118.exe startC:\Program Files (x86)\9FD0D\lvvm.exe%C:\Program Files (x86)\9FD0D
        2⤵
          PID:3000
        • C:\Program Files (x86)\Internet Explorer\D3A4\39F7.tmp
          "C:\Program Files (x86)\Internet Explorer\D3A4\39F7.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Internet Explorer\D3A4\39F7.tmp
        Filesize

        103KB

        MD5

        90f14957af4798c13dcdd9f26c0873f6

        SHA1

        04fbe889eed77913e58c409582840e8bee606df0

        SHA256

        15ffe721016d1490299956f82a93ec872e7d41526177401a9267f29f331c4647

        SHA512

        8708283efb9e3349a7a13d72d58c1aa3041b8a03928fb94b66db4290d229c1fa637ecc301a0519aac2729257a5c993d34249973e2f7443f04a7202cddb586284

        Download Submit

      • C:\Users\Admin\AppData\Roaming\4FC9F\FD0D.FC9
        Filesize

        600B

        MD5

        160bfc6e7f07473421529bc89bdf05eb

        SHA1

        11ca4cfe77d94941199803ab062981aff77cf330

        SHA256

        2c2a4c53e5ad5cf99f87f3d031db9096c9071e4ecc5156c851effd9675b2fd7e

        SHA512

        2cccd01405ebde165c7690a5ac11774714d876f495b44d5d09df14339b844e42069a03cefe324a6bfb960f9ea68166abf359e4d87b2fc349f634f627245c59d4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\4FC9F\FD0D.FC9
        Filesize

        1KB

        MD5

        89b18c0fa40ec9fe23250c727db12c97

        SHA1

        73f5b3f664b7269f67d23fc442283a3291f124f6

        SHA256

        d4c3148006bc7703c36e14c64f6830b152328faacdfc774d47e295edd22ca45c

        SHA512

        a5e01059c30d7d291ebd14633c752fd50cb75e5c6f31f60d994afb5a1dfc484ed751f4075df0f175dfd7bf9f6ee09571cabba1adb5bc4a013ba88e8d4ebf9ea1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\4FC9F\FD0D.FC9
        Filesize

        996B

        MD5

        50b339df03526bb6224be5ac9a435547

        SHA1

        45f5efdc60cf1d11e90a9b8ac8178bedf70eb2c9

        SHA256

        984653196f3e63e4aa1b2b61bdcfedef621bfe82326f9e03388135e400dbd4cd

        SHA512

        e883f0279ab2abef98637fd8032c7dda0c4776de0126c84b9177464691f5ef8641ae87327787d9cabf0d46d864166613ea90050f525e80d820f8703aef411fd6

        Download Submit

      • memory/2764-167-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2764-169-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3000-84-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3000-83-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3028-11-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3028-12-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3028-14-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3980-15-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3980-85-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3980-1-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3980-201-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3980-203-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3980-204-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download