Overview

overview

10

Static

static

3

d9ace96249...18.exe

windows7-x64

10

d9ace96249...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9ace96249c677b8aa4cc881da8719bf_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    d9ace96249c677b8aa4cc881da8719bf

  • SHA1

    043ffe72edfdbbad5c903cc0828e359ee90752b4

  • SHA256

    d0272db66c37dcefb057951240329f371dad2bffd53bb999ce4ba915052438ce

  • SHA512

    54fca18a7beeaf1c38c833ee4511186dcf3b01f481496b60c165fe1bfab8da077bfdd22425af88833c7dcb6e879831eb69baa686d49b72fb1bee159b40017f0c

  • SSDEEP

    49152:UdOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:aOjtMaWZUxUfT35X06si

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9ace96249c677b8aa4cc881da8719bf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9ace96249c677b8aa4cc881da8719bf_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\dwme.exe
      "C:\Users\Admin\AppData\Local\Temp\dwme.exe"
      2⤵
      • Modifies security service
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\dwme.exe
        C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Users\Admin\AppData\Roaming\177F6\75A85.exe%C:\Users\Admin\AppData\Roaming\177F6
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2276
      • C:\Users\Admin\AppData\Local\Temp\dwme.exe
        C:\Users\Admin\AppData\Local\Temp\dwme.exe startC:\Program Files (x86)\F64FB\lvvm.exe%C:\Program Files (x86)\F64FB
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2180
      • C:\Program Files (x86)\LP\85F1\7C22.tmp
        "C:\Program Files (x86)\LP\85F1\7C22.tmp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:924
    • C:\Users\Admin\AppData\Roaming\dwme.exe
      C:\Users\Admin\AppData\Roaming\dwme.exe auto
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:604
    • C:\Windows\SysWOW64\Cloud AV 2012v121.exe
      C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\d9ace96249c677b8aa4cc881da8719bf_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Users\Admin\AppData\Roaming\SS1ibD3on4m6W7E\Cloud AV 2012v121.exe
        C:\Users\Admin\AppData\Roaming\SS1ibD3on4m6W7E\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2648
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2812
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1288
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x560
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\177F6\64FB.77F
    Filesize

    300B

    MD5

    6b4a4103beb52691b4a504103d28cfbb

    SHA1

    8601c0068589cc19188d4e35b59bcf1d854b1fec

    SHA256

    95abe2ce37d28429aa98f8b4062399f68bb2d33db80e75c883a1a0bf9259cf2a

    SHA512

    558155cb859ae56fcfc9ffcdf567c091b924c4be6434501d983461fb6db0432d818c36ae159722322885a85b95983b811e0fb31966ba1ca9886ea2fca3a5a5f0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\177F6\64FB.77F
    Filesize

    696B

    MD5

    24d69bd384931a0cab0074e02aa9c924

    SHA1

    14b2e3f900520e3b5fcbf9f5d2f7dc361b3a72bc

    SHA256

    0a1eab1aa9b88af2c34b5c23a60e7345ab3742d16838e1c6a46ca1b90ffeab44

    SHA512

    e223e54ec8e2a094091a9e9eba42f8232e2d99ef66e580b27698cb4263f5063ae53d9f90309189fbc56eebe37bb784b6c8f7aa0aa0765dbe8ecf6b49bfbc54b0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\177F6\64FB.77F
    Filesize

    1KB

    MD5

    c227a78c17a07f3bc43f6c692ca18aa7

    SHA1

    12a1dc602732247b9282e882c6ebd5094e42e9c9

    SHA256

    be15563e0b8dea70c05a3df077f2a00babfd685edc609dee07ad601e8d24905d

    SHA512

    91be504211bfa2696da25d5937e0165968e1d066efa3455eae3d39d93f9ca5fc9143bbb766814cd1f10c0af7e7b69673a877847f41b1033876161cf7fbaeafe9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012\Cloud AV 2012.lnk
    Filesize

    1KB

    MD5

    9a712cc8d6460eaf520b55808b5ebea0

    SHA1

    e2501a6889a4d80754b946229eb29213f08eb732

    SHA256

    ebb069af0ab68bfc0531f2d906be4bef677c08aebe2426582090e04f1a9e050b

    SHA512

    6db3ea848bd8947fbc1b33764376396d9f890b01d6184d8ae89ae17d2b2e1d560e2afb00c5b61f0012e400ec531dedf6ff2b38c2d27055a77c60ec5c6c1eb241

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QjUCekIBrOyAuSi\Cloud AV 2012.ico
    Filesize

    12KB

    MD5

    bb87f71a6e7f979fcb716926d452b6a8

    SHA1

    f41e3389760eaea099720e980e599a160f0413b9

    SHA256

    14c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84

    SHA512

    e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ahst.lni
    Filesize

    1KB

    MD5

    4479f7052910ca9b355153033269d137

    SHA1

    b4a1948fac0189da1ab864f2ab99409a8b94ec88

    SHA256

    2f004397ca3873e935ef84e8bb4902c41bbd5aff435ea0a87dde5ccea7714a3d

    SHA512

    cd5daf8175aa58c41b1d57b3a1dcffb453e718e9c2415218a9f623674253185bc32e1100f4b30e1dabd9450c3504bc1d139564cef99861beef759d9f693aced5

    Download Submit

  • C:\Users\Admin\Desktop\Cloud AV 2012.lnk
    Filesize

    1KB

    MD5

    0dd12ba226fcb653ad4a7c19550eb53a

    SHA1

    25561f19f9979a2479c51083d69b50925a3264f8

    SHA256

    bb60887aa93a2bde0f26a9e677bd494b6194543c08f0074705d2470751e8adc7

    SHA512

    0c2f1a0bb1cfc7aa6a17078a821f1016a10a264371c27902fd7ffdf2c31b479780c7785af55b2da0a10863db61a1b77ff340180c9343d5894c1004c513a5c9fa

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    f48cfb5db32cdf990f35a5ef9146dbf4

    SHA1

    09b4f991e17aba915160f6c153c6d78e2d4aa4d9

    SHA256

    72439cac78aae2122ddea93a12f562ea85c9fb909bef25cae982480a2d51f397

    SHA512

    385c74297ee70bdce1cf2dbcafd95e1d96f1b9ffd0fac713d614f84b9d02c28359276434ea164082ae46b312f40dd9911a27526df2ef3613118a0efc9271d301

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    da92c10d26caf9083835ea4e9c9d39d9

    SHA1

    5248b4965b5b3aeca5dd12f59dcae26d0186b052

    SHA256

    ccf1bd93891bb2e22540ef9baf3acc2e7a30c46054cb12b08567a43ac3fdc8ae

    SHA512

    28e848434bba3facc9a92a9d6fdfc1257261d01a818ef389db3b37c0103451d51c62efa6ac41453f42de22e685d7f55d00405a63dec8dd2928e856fb18becff5

    Download Submit

  • \Program Files (x86)\LP\85F1\7C22.tmp
    Filesize

    99KB

    MD5

    ac9682380b3c94ffe32d0aca1a53d53e

    SHA1

    7c1485c7d2720d433306ff5c86fd944331bc4447

    SHA256

    cd0e4cd89551d243fd1365950d28470d56a09f29e834d13288f6ca1aff4c1626

    SHA512

    978eaa0bfd1c62d4e7eaac0470ed29dfcc683aef8b087fbd76caf1218d700010d1bb2ae1d155811665e52c842326bef1779d082161b72c8c25c8e6167ea12eb9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dwme.exe
    Filesize

    279KB

    MD5

    c97ff984c8643e9a8404592683cd7162

    SHA1

    9f0e2724d047c794b4457fb799cc6e96438a7292

    SHA256

    1c5529c199a8a1744246396812a2e90c847ca78a6a438592010fe1b0573fdf32

    SHA512

    f18481023fc45bc8618dd2aa481d806d1c799b5a635ed2ad64be0ed3f26470330973bfa04a56349f8cc473761bab1ea1780d07c7d77b5895b4aef0219e7a4bf6

    Download Submit

  • \Windows\SysWOW64\Cloud AV 2012v121.exe
    Filesize

    1.9MB

    MD5

    d9ace96249c677b8aa4cc881da8719bf

    SHA1

    043ffe72edfdbbad5c903cc0828e359ee90752b4

    SHA256

    d0272db66c37dcefb057951240329f371dad2bffd53bb999ce4ba915052438ce

    SHA512

    54fca18a7beeaf1c38c833ee4511186dcf3b01f481496b60c165fe1bfab8da077bfdd22425af88833c7dcb6e879831eb69baa686d49b72fb1bee159b40017f0c

    Download Submit

  • memory/604-43-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/604-42-0x0000000001E60000-0x0000000001F60000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/924-310-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1216-190-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1216-121-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1216-374-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1216-304-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2180-194-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2240-30-0x0000000002F10000-0x0000000003325000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2240-40-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2276-123-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2380-29-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2380-1-0x0000000000400000-0x0000000000914000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2380-0-0x0000000003340000-0x0000000003755000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2380-2-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2380-28-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2648-282-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2648-309-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2648-44-0x0000000003290000-0x00000000036A5000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2648-197-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2648-126-0x0000000000400000-0x0000000000917000-memory.dmp

    Filesize

    5.1MB

    Download