Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
28-07-2024 09:23
General
-
Target
1268348828883dbc98a1a584dec8ded8_JaffaCakes118.js
-
Size
283KB
-
MD5
1268348828883dbc98a1a584dec8ded8
-
SHA1
7fd4ed93d6a549baf7402f7fd5e736faf2ae40f4
-
SHA256
05bbe75c2e13f4e9267f6217a0d91acab003fc7f1eb1a92d81b10bd3cf448f9e
-
SHA512
8d7df58ab9cb6ca13c1e3317cf51ec7ae67e7389e0464794dab8edaabd1b6454d73b8c27796335693f2aa6453a4dfed1261685f10d180a793781ae35adde2dcb
-
SSDEEP
6144:AFM0/rWK/2tG3ZL1hsI5y7XFeLAPlRpQEWpbTMp4Jc3L:AX/d/2QtT5y7XnlRpQHFTMaJGL
Malware Config
Extracted
pony
http://dinom.spb.ru/api/index.php
Signatures
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1268348828883dbc98a1a584dec8ded8_JaffaCakes118.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe"C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exeC:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe3⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD5943297dc7e4e167335e7d7e706bd4ad9
SHA1cb3c55a6c4901001c2a2893cc059bf53091b23e8
SHA25619d9f4d720ef5d52383f29ee5edd686f4538757bdb6f8b6aa4c2fa1df32d4763
SHA51266a247f6006117bd01da6d48a2037630ec84da487e2230750e95cb26b241a5c6978553c51dce03ebe8fbc5efef53dd5a354fdb7853e17c05ca3138831509bf42
-
Filesize
152KB
MD5347684b6130a16aace57a364658c8435
SHA19f6a1ceb820319d56f047b0c1213f7359dc6b7da
SHA2564bc47e12fdaadd5d9da37ee13c5c173bf61a013823f5c49065cd5d43f2ddef94
SHA5120596c6f6b80bba6bf4a1874019faf3198a3d9d0dcf1c79bcaa76a5324adf3ee8ce03bc627d77bbe6b565f86caab8ba9df826d894704d13243bfef32005d4f9f7
-
Filesize
22KB
MD524a09f3f72fe19cc920e86645626f197
SHA1e9cee70b03d0938b8590b01ea89325f65ec90971
SHA25637073e6c5503ebe0b3101f42f98c56892e1db686e5592255faf443ee6066dce6
SHA512c59049f19d5eb81283c1848c8145f7a22c1386a40af9d31f3641fecb6d762f75660492f58797514d1053ea87e53635307cdd75366f87ba18f019523967cf27e1
-
Filesize
19KB
MD52aed0ef9b7ca9d7fc3d096320b416b4a
SHA1eb8383ed2cc3c064efbbc0a935255bbe52346d1b
SHA256b4a8904d7187bbae04dc592f8f6a197aa3633f1a98e6fcff9ab9f993a94e0635
SHA512f3c1a0164b1c5209b673ca6f071dfe589251dc7ccf9f335b64db02bf950c389decba817e934c20ab4c6e821c79ea07ff9205298b9da15c5f253f40cd9477e887
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
4KB
MD5b71751d104ed8f256ae64a7d02821be0
SHA1bc3e6ac19bf1431a5872597684b2982b8ba07d87
SHA2566a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004
SHA512b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf
-
Filesize
1KB
MD58b3c3ed194728acce8a04e8e2bfe62a6
SHA1144a6800357571cc291df1d558a63e88ca236eb5
SHA25687f71a3acf63721b7a0af38e222c755ef18516321adefffdfec570c4bd6b6a96
SHA51277ce72c31eb96ec71f690d5092650e5a2364643b0a9c4cf00ad3ef9df7dd5a52027d6e047f9b020fc4cc6f9d47226c5e87db6ca6474c7066c101da1b04b53a8e
-
Filesize
1KB
MD5f179b38efb131fe9ad676f4b03a18369
SHA19478bd8fee79cbbb42d935747290d6434a18f221
SHA25672687ac960a85942e32020e051b56a41af1eee24b7a17756b5b0779f8a1d52c3
SHA5129bc73f0688594e74842fc95918a665a0540fd43b3be0d82c8535063282f3bb19e4821cd6d066eaa5d290f9e7ab2cafd42e5f4dd35444d3363ac047d5c61b4a2f
-
Filesize
1KB
MD5755013bef6c797721834f0f336509456
SHA1400180d8f04d8e0bed626603fdc81f4a7c42a11a
SHA2567e6770c80322aec1304b0cfe5e81d169a917135d53d365aeeb58c3e0d33df42f
SHA5120c80f6def90f22b8994e4d61bdeda365dd6ae0dc070ac26c78f801448949dca032bb9922238c5f886c8728114e8cfc31ec82f5527e9bc5032481d6f9fd32b4d6
-
Filesize
1KB
MD55c27ee062378bf4a4f1b963fdc867a3d
SHA1e8f30952a8a5722f535f657012ff121e1e9730b4
SHA2562dd3a3c1c16ad589270000c7db708e28a7c26279ea847517d91468b7d5911644
SHA512cee96add18d9b5137f4d39dfc8c26a1dd6f34780ab8bd63cea510e54878c3f70fc00cd8eb71418634a63fa8e8807e7b1d8d96fd3ac8b4ca3a1d71b1802876ed0
-
Filesize
1KB
MD50333f2624bc9830a339c53bfa28845cf
SHA1b34a59d0c46db3301ebd059e5270f8ec312f0765
SHA256713d5cff0701505aa5affa2c7187cf3bba37c15634ec8fc8238749ff00a853dd
SHA5123bb9af97d2840a3d2d34d47bf75645524fd71ba8ba05b42c87bbb4fa9aad00f161794c65ffa5be85489657869b89d18d884d7bcc0f1d9b68427caca4eaf8ef45
-
Filesize
1KB
MD560d178fed5bfafb342936331a5f836c2
SHA19b12cb93a5788ba35c2868ce75891e19f7c206ae
SHA2561d7c811b33be472b61335979eb1a5137a218e91503b4eb526aadcc0b314b926f
SHA512ff167015ab2012a37b3672a621a1e031435266210099a6e6018038c9def1fb91d66d16e982c4f502c0609255f9b6d3c1b44f8d9a6343e76908d18eb92520a20b
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
10.2MB
-
Filesize
60KB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
4KB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
1024KB