Behavioral task
behavioral1
Sample
68ee01acd53c766ebc2785318409e502_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
68ee01acd53c766ebc2785318409e502_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
68ee01acd53c766ebc2785318409e502_JaffaCakes118
-
Size
100KB
-
MD5
68ee01acd53c766ebc2785318409e502
-
SHA1
cb1a7d09ed4aa84820f9b975d976163f5a439b1c
-
SHA256
4ab77b4c9bfb746d93b09f510a2c72e10994219b79d07a1e932967358fc896f1
-
SHA512
543120590ce46994cf06c9e9daeafb99c895d37c67f6839923fe6a56712446dacf480082c5cf19f016299c962f5bd2907c42159b693dff73450e2d8e6f969299
-
SSDEEP
1536:c8CAsfIr3iqT4QcD+YKX8EzDxVvzG2Cv/0u3JXOO3u3TvZEqukzmIJ:WCbqqLX8EzdVq2CtOOedEqOIJ
Malware Config
Extracted
pony
http://rolex6.serverthuis.nl/po/gate.php
http://rolex7.serverthuis.nl/po/gate.php
-
payload_url
http://skin.mad.buttobi.net/11.exe
http://skin.mad.buttobi.net/22.exe
http://skin.mad.buttobi.net/33.exe
http://deltagoma.es/Scripts/11.exe
http://deltagoma.es/Scripts/22.exe
http://deltagoma.es/Scripts/33.exe
http://energy.elsat.net.pl/Delikatesy/11.exe
http://energy.elsat.net.pl/Delikatesy/22.exe
http://energy.elsat.net.pl/Delikatesy/33.exe
Signatures
-
Pony family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 68ee01acd53c766ebc2785318409e502_JaffaCakes118
Files
-
68ee01acd53c766ebc2785318409e502_JaffaCakes118.exe windows:4 windows x86 arch:x86
9070133c9b0f87f00b2f93a4844ce260
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
GetPrivateProfileStringA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
Sleep
GetModuleFileNameA
LCMapStringA
ExitProcess
ole32
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
CoCreateInstance
OleInitialize
user32
wsprintfA
advapi32
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
shell32
ShellExecuteA
wininet
InternetCrackUrlA
InternetCreateUrlA
shlwapi
StrStrIA
StrRChrIA
StrToIntA
StrStrA
StrCmpNIA
StrStrIW
wsock32
inet_addr
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
WSAStartup
userenv
LoadUserProfileA
UnloadUserProfile
Sections
.text Size: 70KB - Virtual size: 70KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 256B - Virtual size: 256B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 19KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE