Overview

overview

10

Static

static

3

d6f9c02511...18.exe

windows7-x64

10

d6f9c02511...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6f9c02511b899fc73b32d0e7e012528_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    d6f9c02511b899fc73b32d0e7e012528

  • SHA1

    2ca8e690ec7defb1cae50816fca969177a6d23a4

  • SHA256

    5c2b858e5d2fcbe4c1baf91e36ebdc2f8eb2ba49f4cade6a5443c5af0cf463fe

  • SHA512

    f496e7d66a83620e424a31f8e57dd5d30d9be5bc554d7ac058b889b6416f463e7f171f65db23962e3167ad967fa019e696e0bd51b07a737ca4f46fcbbc30b305

  • SSDEEP

    49152:3dOjNXMu8VaWg/IbwsYCxUGXET3pb2uQUr3ZAK6SQKS:NOjtMaWZbxUfT3gu3r3ZAn

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6f9c02511b899fc73b32d0e7e012528_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d6f9c02511b899fc73b32d0e7e012528_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Users\Admin\AppData\Local\Temp\dwme.exe
      "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2316
    • C:\Users\Admin\AppData\Roaming\dwme.exe
      C:\Users\Admin\AppData\Roaming\dwme.exe auto
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1956
      • C:\Users\Admin\AppData\Roaming\dwme.exe
        C:\Users\Admin\AppData\Roaming\dwme.exe startC:\Users\Admin\AppData\Roaming\EDFDF\E7E78.exe%C:\Users\Admin\AppData\Roaming\EDFDF
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:560
      • C:\Users\Admin\AppData\Roaming\dwme.exe
        C:\Users\Admin\AppData\Roaming\dwme.exe startC:\Program Files (x86)\DFD73\lvvm.exe%C:\Program Files (x86)\DFD73
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2008
      • C:\Program Files (x86)\LP\786E\473D.tmp
        "C:\Program Files (x86)\LP\786E\473D.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2836
    • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
      C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\d6f9c02511b899fc73b32d0e7e012528_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Users\Admin\AppData\Roaming\nF3pnG5aQ6W7R9T\Cloud AV 2012v121.exe
        C:\Users\Admin\AppData\Roaming\nF3pnG5aQ6W7R9T\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2128
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2780
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\EDFDF\FD73.DFD
    Filesize

    300B

    MD5

    0a8b655709122aef36e01706be57f62d

    SHA1

    507c550930ea6ed26dbbfbb9844564e82241148c

    SHA256

    535bd3ab66085bbf3e168b90447b9b4da2e29e26eb18e9b81813634734d75c5a

    SHA512

    63329df61d1c7b7abf1bb18900cdc26d268d9b47b2a6d0504a5f06f126329f667aacc674a1ba9b042e0bdeed6ce6f8c67dee8f76ff22ac4f109a5265a20dbd5d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EDFDF\FD73.DFD
    Filesize

    696B

    MD5

    e68d04170fa7f76e5f0dbeae27d90be1

    SHA1

    d595da6a01b44ce2df128635c5f2d0714a272428

    SHA256

    184d8a3520e5abda064f55c3586d344829c7dc90f8afd1dd560d989a6e299518

    SHA512

    0984dc4b43447168bba743b72b1539519cfd37c9e70d49f48edccf85fe0dde16531273dfa045acc8a41ce1e2b8767f754b2ba367f93db444bb5c739c01eaea75

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EDFDF\FD73.DFD
    Filesize

    993B

    MD5

    372b27147242d201eb7c0b9365edeb0f

    SHA1

    c362bcd962e0ae8ad11413d66fd51f9ae5140840

    SHA256

    7fe6753c8fe0c237878297fa752ec0a11ab66489a9b1c6b94b1a70b71ce89a23

    SHA512

    9e09079c8be5875cc7aa89650ec550c3dad38499d6248dd0d6ce213f316a39cea5bbe6773abca6a2f385ef80ec0313351963c9ffd7905f65f1300e90f03c6bfb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EDFDF\FD73.DFD
    Filesize

    1KB

    MD5

    02913394648fa971262b32bfefccf212

    SHA1

    db97db209d3565bc5cc0513c29715ce804c2e8a5

    SHA256

    3f951461187b7aec3ca36661d66519189db3dd7db9b7e68264be435c109291eb

    SHA512

    b76a1c3546d2b43d767ae961fbfd811edb2bb290bdcb796c797bad77790179ca0b6f5f32b9878728dff1060ffbfc5eafa6c36c05c3b19a4d357c28f38e1c5051

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk
    Filesize

    1KB

    MD5

    d81d2eecdcdbb10025c965277c942f3e

    SHA1

    3eb3c4f2d88bc5370ffb73ab15bf7e9b8eb746b8

    SHA256

    37cdc1495085db5491124bbe3b6ec49410358872652ddac1cdb65e0d67f154a2

    SHA512

    a7b07b17c918597b84a1fba86d1ac8bfbd2553e9f7357605f390fe27bb3cbd515d4265e199e2780efd673061fb5bb5923999bee397189a7987f2b2987668ce1d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    612B

    MD5

    7b3410ce554ee7560482f90e22e1dffc

    SHA1

    191e12565763c5d3692e51d2e808b3f8c892b786

    SHA256

    4a1cfb761365a150999de8bf19d151ce7e2145a83410985399536bd425fdb11b

    SHA512

    5435d5254cffa6521d5de1478981e6c0b4f27ea72ad6165a09247d6c6c1f46bba7e7aee5bf4f2b095dec2544d2394baeff83db2e6629f27e41156e0b5737a83d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    1KB

    MD5

    b0fa7bca6deef64a68cbee5eb153be40

    SHA1

    1835d14389318c4fb1e0a5aa68f1a6f270728334

    SHA256

    082222f11742ab7c70fabe2effd63a534ec8f7354ebeede9456281cbbcc96a15

    SHA512

    2c7631ef684ed3317163059573dd4311988e859c9ead46bbcab5915d727f7a836e34e49c5ccf88b0abc396fa04fd46ad5e0211a6dcb4ba2e8f8c40e5a8673973

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zmG5sQJ6dKfZhXj\Cloud AV 2012.ico
    Filesize

    12KB

    MD5

    bb87f71a6e7f979fcb716926d452b6a8

    SHA1

    f41e3389760eaea099720e980e599a160f0413b9

    SHA256

    14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

    SHA512

    e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

    Download Submit

  • C:\Users\Admin\Desktop\Cloud AV 2012.lnk
    Filesize

    1KB

    MD5

    454539ee3680d3cc829dc5945e4a1bdb

    SHA1

    7b4d700d5573d88f27ca1be50402520659175323

    SHA256

    5dedff37e01c8a66f09df2047dddf8b15242bcaa92fb0ccbaa674367e5f9b57b

    SHA512

    b250d6d05d215d5514236c80c9b71f714429356594415531ce8b83d128af063fb59533fd102cf3b4d719ad20addbbae6cd7e6e15f71faeb95db988c4f94682ea

    Download Submit

  • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    Filesize

    1.9MB

    MD5

    d6f9c02511b899fc73b32d0e7e012528

    SHA1

    2ca8e690ec7defb1cae50816fca969177a6d23a4

    SHA256

    5c2b858e5d2fcbe4c1baf91e36ebdc2f8eb2ba49f4cade6a5443c5af0cf463fe

    SHA512

    f496e7d66a83620e424a31f8e57dd5d30d9be5bc554d7ac058b889b6416f463e7f171f65db23962e3167ad967fa019e696e0bd51b07a737ca4f46fcbbc30b305

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    f48cfb5db32cdf990f35a5ef9146dbf4

    SHA1

    09b4f991e17aba915160f6c153c6d78e2d4aa4d9

    SHA256

    72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

    SHA512

    385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

    Download Submit

  • \Program Files (x86)\LP\786E\473D.tmp
    Filesize

    99KB

    MD5

    b6c44c70136fcbed1aace964c4e98e9d

    SHA1

    4f7961087e09cdf03efe4fe0b7f2243499504628

    SHA256

    75d10ab1bea3e7cb80e3c0048b79cf0496c88b885ff853d6f430c71272030bcd

    SHA512

    801762bbc8ffa62fd49dadb75bfa0ff31f73ee4b712c91d23885f0d4fbc45eebbc30f2ab84e04ce375e8a269bb2a1c8514c4dd9cbd50f42e5960987c719092da

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dwme.exe
    Filesize

    279KB

    MD5

    28f68e83db55f7bea9da2240ed0fb82e

    SHA1

    f921166658168cd0149fc4bf192ed37a2281ab15

    SHA256

    41a4cfba62cc917f591523b5adefa926afb6bfe54aba4d2b72ac6f98253d9b58

    SHA512

    40976449c4a135a2375ef875f0d0e7c0a3f612786ab7901a49b5def17348fdfc57ad0b6fb7e83ea01714d8c95f1154c27502572f1905bfde18d818ffe58fcbc6

    Download Submit

  • memory/560-136-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/560-135-0x0000000001E20000-0x0000000001F20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1956-239-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1956-108-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1956-148-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1956-355-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1956-406-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2008-233-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2096-39-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2096-30-0x0000000002C70000-0x0000000003085000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2128-309-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2128-111-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2128-44-0x0000000002F40000-0x0000000003355000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2128-215-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2128-129-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2128-323-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2316-43-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2484-28-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2484-0-0x0000000002EC0000-0x00000000032D5000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2484-29-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2484-2-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2484-1-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2836-310-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2836-311-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download