Overview

overview

10

Static

static

3

db8a7205a1...18.exe

windows7-x64

10

db8a7205a1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe

  • Size

    279KB

  • MD5

    db8a7205a16ebd7d01f4c1bc7ed828f3

  • SHA1

    08e633fe5c3f3438d3c7b2b16b980477ce11c005

  • SHA256

    32bc8fdd21b479615e48c6bbaf86552fb39a51f24492c48ef8f5e036cfcf9425

  • SHA512

    60488b3d8d255bff743dbda22d6452347072f9eb4de47d64b422b26db4d724e822cad3ae404bc7e6db0b643ef1ad94cce16c4c223e33f4098a115962760495e1

  • SSDEEP

    6144:R9p9rg4xpA4mckS2nlyo9q7H5c6doe7ZXtynCdgqdzZtbz4lnBcdPo:R9p9EgAbJS2nAJdooX0UZ5mnud

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\95082\CB8E9.exe%C:\Users\Admin\AppData\Roaming\95082
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2092
    • C:\Users\Admin\AppData\Local\Temp\db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\db8a7205a16ebd7d01f4c1bc7ed828f3_JaffaCakes118.exe startC:\Program Files (x86)\82786\lvvm.exe%C:\Program Files (x86)\82786
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2128
    • C:\Program Files (x86)\LP\E9E9\BAD7.tmp
      "C:\Program Files (x86)\LP\E9E9\BAD7.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1844
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2768
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\95082\2786.508
    Filesize

    996B

    MD5

    729b41c8d6298f0702e2b8c1b8715e47

    SHA1

    0adc80bfacb1033befd6c55fc3fd0e070b0860c1

    SHA256

    d16e804dc34f93a5f60a8ac0d926d02c9fee874fa223a5aa2d46ad77de57cfa3

    SHA512

    6194802da438f57ac5a08a5ea336531a2809990c0c7981fc708e1cfb39960c0654d6be023b96ce698784e35cfd9a1abb669483e27427f807ff7f5be27869fc59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\95082\2786.508
    Filesize

    600B

    MD5

    4dbde6803a8309bef0f4ff39f887a47e

    SHA1

    4c6b26074e7079488322f8d30d6a921cfbaa4dd7

    SHA256

    0cfb09f87d8923f1c5169cebad9ff6cbd60283e45b2bc0f967b8f11ac8713a58

    SHA512

    7cbc7dd7e1c0ebb2b01fbb0cdc77eeb5c39098e694b630457d1c6ceb6aed3217a9aea49b18d8f0f32754f597a6fedfd148c1650a693f7b24cbd4d050628f39c6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\95082\2786.508
    Filesize

    1KB

    MD5

    d4a89ab0631d92be0846bed25d9a20dc

    SHA1

    5cefbc2ca60d9761860830cab9cabc24e28eff02

    SHA256

    95280a30271de8db706c482d93d2b9cea1de3aa2b046935707a63a0b03c82f2d

    SHA512

    dbd798c59166d4fa169ecc6be1c58850f4ee5ed2dfcfe6ade135a14ace303c43c98b2d2730b0466053a35da4b96dc1a3c7827cb6695db231dca675b1c69aa9df

    Download Submit

  • \Program Files (x86)\LP\E9E9\BAD7.tmp
    Filesize

    99KB

    MD5

    ed2bad1e6970c4aede88be76b11c9250

    SHA1

    74a9b54a7b24414b3035c5e7cdb3d89393e785d3

    SHA256

    8d766352dd398f94f5e3ead77d5b5ffffb8e605b066c47086020f8f8400ccdae

    SHA512

    ffbf62a08a1112be48d39d36abee306b7ac17186177842a8d7b1253ecadc0827d2d8541b7e35e037c13c6e247670f83a7d73bf5f09ff7f20815678694236bc8f

    Download Submit

  • memory/1844-321-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2092-16-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2092-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2128-130-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2128-133-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2128-132-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2624-128-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2624-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2624-13-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2624-11-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2624-320-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2624-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2624-324-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download