Overview

overview

10

Static

static

3

d4081f9a07...18.exe

windows7-x64

10

d4081f9a07...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4081f9a07a0cb3bb520029880f43756_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    d4081f9a07a0cb3bb520029880f43756

  • SHA1

    03452dc8b5c8facebb745773c1708ddbcae3fd3e

  • SHA256

    ee20b84e5d2dad62537656cc5c08310eb2b05c433a7946af033bc459ac13a9c6

  • SHA512

    459cd19da75aac8039c3d2438bfb50af92c07c1c821f15bea6e9fb5cd08a497547be3d3faa21d6b48a9385c962d02c15837521d123e9429197c0805fa1ce0f4c

  • SSDEEP

    12288:lDCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:lEEZBV5jCoFvZsSWG2BdN+w2+O

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4081f9a07a0cb3bb520029880f43756_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d4081f9a07a0cb3bb520029880f43756_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\j29oAE.exe
      C:\Users\Admin\j29oAE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Admin\beufok.exe
        "C:\Users\Admin\beufok.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2044
    • C:\Users\Admin\2men.exe
      C:\Users\Admin\2men.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2268
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2592
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2732
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720
      • C:\Users\Admin\2men.exe
        "C:\Users\Admin\2men.exe"
        3⤵
        • Executes dropped EXE
        PID:2484
    • C:\Users\Admin\3men.exe
      C:\Users\Admin\3men.exe
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • System policy modification
      PID:1380
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\4FBE2\D97D0.exe%C:\Users\Admin\AppData\Roaming\4FBE2
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2216
      • C:\Users\Admin\3men.exe
        C:\Users\Admin\3men.exe startC:\Program Files (x86)\E2018\lvvm.exe%C:\Program Files (x86)\E2018
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1708
      • C:\Program Files (x86)\LP\D054\2913.tmp
        "C:\Program Files (x86)\LP\D054\2913.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del d4081f9a07a0cb3bb520029880f43756_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1640
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2224
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\2men.exe
    Filesize

    132KB

    MD5

    945a713b037b50442ec5d18d3dc0d55e

    SHA1

    2c8881b327a79fafcce27479b78f05487d93c802

    SHA256

    2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

    SHA512

    0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4FBE2\2018.FBE
    Filesize

    300B

    MD5

    89daf292de90b11d1437b45888adf44b

    SHA1

    904ef904be8b47fb5d58e3efa277239012ec0188

    SHA256

    4dd7d0cbbe7974b77255b3e740cead4f9710ae5bd1128b99ac87378fe7e5c89c

    SHA512

    e2d5b6064787a4d3d7a5715d9bb9e50d48c24e4825ae07ef1a0a146552c40cc493601e5a5ae248bf5a22d3bf30f03c071aa4a17fcd2d8f47b9a08010709979e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4FBE2\2018.FBE
    Filesize

    600B

    MD5

    5fc44ad13a994b13d579816a8cd29db6

    SHA1

    3461fb6aea30948ef8aff1bfdd8bf4358bd59e6b

    SHA256

    2b4c6edd1341b0ba11ea7b614c608223014d30d7132be7c29f2e1d59d5e01c04

    SHA512

    5a0bf1a578b58edcf0ff78e56734f43ee1ef5418374ab228b5888c1d2c0555ea2d346b0a9c513712b825244303d4eae6b2b25f23444e5a4402066950252f7d25

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4FBE2\2018.FBE
    Filesize

    996B

    MD5

    e18ecaee85991d9a1bc1c7fb418063b6

    SHA1

    bf23e62437e97270402a55bdcf305014b967fdc6

    SHA256

    a1a8f2c4452b034e11d3a1269b30a9de5fbaa1112eff36201dd162d72bc593be

    SHA512

    ec8c042751113e90fe7fcee71bc5ba2bfa982223b7bc897c0b9f8910344825f4237d762fdff1d3aaca061a6113caafd2619998de7d90c0fbd4f305643ea54b42

    Download Submit

  • C:\Users\Admin\AppData\Roaming\4FBE2\2018.FBE
    Filesize

    1KB

    MD5

    06af4e0999156779a3e753dd57e76174

    SHA1

    c5040f7a444bcc9eb15a518b61cfe056d5c08f9b

    SHA256

    23da4c5718f25b78e90fae229d0bbfafde15d02342cb8c30b09f7003ae09f5b1

    SHA512

    4ae003a3c22af4ba9889cfbb522625fb2593ed35d5af5fa0f8734a8a9a9b65b6dfea8c974a05f8d0773ca8b16a9d33268d2fff1c4550c327e66d2e95d205067b

    Download Submit

  • C:\Users\Admin\beufok.exe
    Filesize

    176KB

    MD5

    c6bdf73237b91f89333e544cd97eb2ff

    SHA1

    c7f78dd7990dbb9c485b1321eea7f6b8765c2236

    SHA256

    3fe7a1ab270487611e37e8a5ba2a2cab93aea913376b5d229e696f061c05debb

    SHA512

    473310ce8f8fcd1e717e5ab3f7d3973a0ff77ab650f04711d02dc2d1ea019161804b41cc8532a58e284f476b712fb8e18446d7b0231a9ff16f6d6a8b40e1fcc7

    Download Submit

  • \Program Files (x86)\LP\D054\2913.tmp
    Filesize

    96KB

    MD5

    6b9ed8570a1857126c8bf99e0663926c

    SHA1

    94e08d8a0be09be35f37a9b17ec2130febfa2074

    SHA256

    888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

    SHA512

    23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

    Download Submit

  • \Users\Admin\3men.exe
    Filesize

    271KB

    MD5

    0d668203e24463de2bf228f00443b7bc

    SHA1

    eacff981d71f6648f6315e508bfd75e11683dba8

    SHA256

    509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

    SHA512

    3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

    Download Submit

  • \Users\Admin\j29oAE.exe
    Filesize

    176KB

    MD5

    c4a634088e095eab98183984bb7252d8

    SHA1

    c205f2c1f8040c9205c6c06accd75c0396c59781

    SHA256

    db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

    SHA512

    b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

    Download Submit

  • memory/1380-270-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1380-157-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1708-273-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2000-28-0x0000000003990000-0x000000000444A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2216-159-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2268-48-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-46-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-106-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-50-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-43-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-41-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-39-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2268-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2592-60-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-55-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-53-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-65-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-63-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-57-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-62-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2720-90-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2720-80-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2720-85-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2720-82-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2720-89-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2720-155-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2732-148-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-77-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-66-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-70-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-73-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-75-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-76-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2732-68-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download