Overview

overview

10

Static

static

3

755b1f6024...18.exe

windows7-x64

10

755b1f6024...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    755b1f60241f1ae2376ffeac9972568d_JaffaCakes118

  • Size

    328KB

  • Sample

    240726-xx4tqsscqf

  • MD5

    755b1f60241f1ae2376ffeac9972568d

  • SHA1

    6819ea04b3106c1197be855300448a4a6d73e968

  • SHA256

    7ed8ea6805c2c8be03e74a147343a60b93b5a094a7a463864191442cb87fdf00

  • SHA512

    5f7f4f472262a41efa071108a76d191e9194bd3de305e92ea15a7e7964e65192d652b40d4692e1fe8013b3a8ee50bfd836a5362ec425b0bb0e6bb9ab8d6333f7

  • SSDEEP

    6144:Y7Xop2DQGktWZaZzHwqdsD57mte6wxVMHZc8Uy/Ya774Tu+sQV1ph:cokD5kt4aZcT97mk5yHa8DHouTM

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      755b1f60241f1ae2376ffeac9972568d_JaffaCakes118

    • Size

      328KB

    • MD5

      755b1f60241f1ae2376ffeac9972568d

    • SHA1

      6819ea04b3106c1197be855300448a4a6d73e968

    • SHA256

      7ed8ea6805c2c8be03e74a147343a60b93b5a094a7a463864191442cb87fdf00

    • SHA512

      5f7f4f472262a41efa071108a76d191e9194bd3de305e92ea15a7e7964e65192d652b40d4692e1fe8013b3a8ee50bfd836a5362ec425b0bb0e6bb9ab8d6333f7

    • SSDEEP

      6144:Y7Xop2DQGktWZaZzHwqdsD57mte6wxVMHZc8Uy/Ya774Tu+sQV1ph:cokD5kt4aZcT97mk5yHa8DHouTM

    Score
    10/10
    ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks