Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06-09-2024 02:52
General
-
Target
ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exe
-
Size
283KB
-
MD5
ce7afd3a8aab7866b34311eafe6f0979
-
SHA1
6b75704fc65edc492ddb9e14295deb3db549cf78
-
SHA256
d7ec4d8d576ce42cd3f24df078df34825416d59781dc245edf21263d82795455
-
SHA512
3147a07dea58baf3aac9b290325b15211f23f4f3292a0623e388f9af695a6c0a33c4da884c1871d5ded76f4f851fa8774d79ca366c360f274b83fe9784f5ae2f
-
SSDEEP
6144:lASNvi/3yUIGnx2Y9wfYpAhn5JuyqiN4hMrzxalTtO:NN6vRIGom+siNGmFv
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\CA2B7\B0E53.exe%C:\Users\Admin\AppData\Roaming\CA2B72⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ce7afd3a8aab7866b34311eafe6f0979_JaffaCakes118.exe startC:\Program Files (x86)\B79F3\lvvm.exe%C:\Program Files (x86)\B79F32⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\536C\24DF.tmp"C:\Program Files (x86)\LP\536C\24DF.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534261c4934b4343d2f675ad9db56a02b
SHA192d32d452c026e12d5ebf18e93889e8c55a42f00
SHA256d939bb661001c4120d887b1c1863e03b720784403d8000311800fcb3c7f7739c
SHA51237f1c3813ba9561929c3aa53ee69d1a6812cebf800b9e546faa2a999f6decc580010d69b42d4cb5c889a072cc888b53740388749a3281a027565411029b14572
-
Filesize
600B
MD5498cd53a9caa0ed710646fa01eceb6a1
SHA1acad7b56966b55354943464e4fc527f29d4dbca8
SHA25629a9bde4b51e6877141b893c81d390b49f0e1b66af8ff53d07639382517f9665
SHA51250045cd2ab585bdb43f1b69ea9126a3cd180676a52e60c094699fb9cdebed853d82619f0002165aa478059483bda00606f37c546158d2fc5e5977b6ecf0c0f1b
-
Filesize
996B
MD58fa999ba4d123125c1e97f835092fb48
SHA1c59bc74c6abc3941bca9cdbaa3daf731be75b9db
SHA256e3ea1b5245b3f0dc7fb62bfccc239f830927da6bb62292c40a09e40fd636df7c
SHA5129f6cee77a559284cf8e94403d5c3f89892d8b838a457ed49016cb370f452ce202fbc5751935d4c2e8f633f38196352c7d4471b6a0741cb05c9338c66225b5053
-
Filesize
100KB
MD5de4945aedb66456dc2f3ee1acfba3246
SHA11b0bc34168f1735ad4ac66155309102fb566ea63
SHA25691f6bb5318ef3615012be80cfb8cc4ed8e81b31bf52215c15684d700fb8b8b5b
SHA512ede90603a8645063d3180e6283f6c12b26d66a0238cc54187090d80e02455c5a0cc68d0a232ce785c55a1fd4a890292f077ceef35141658a0e32849f8576acd7
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
112KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB