Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 18:26

General

  • Target

    e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe

  • Size

    286KB

  • MD5

    e0c6247a10e90d78a4bab1fea77d57b5

  • SHA1

    34d4e5d8d54c0eda9b444879c98a5f1cac97431f

  • SHA256

    d27671568091892834ec1ee00ed8d520a60110b373bee7647e18504695c9385d

  • SHA512

    aad6dd2b8e20c6104e1c17f317f067dc97b5429e2a00c02f1aa66ac8b9112e4f6842e687887fbac48f153e4748ce26db3fec4f37d51ba737ee79cb1a10e609e1

  • SSDEEP

    6144:W6jV3dXwqqSAOv3xgM1otCaLzVvEiSUd3/zDkR4:J5AKxd17advk0zDkR4

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\D3A8D\DC526.exe%C:\Users\Admin\AppData\Roaming\D3A8D
      2⤵
        PID:2024
      • C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe startC:\Program Files (x86)\8D11F\lvvm.exe%C:\Program Files (x86)\8D11F
        2⤵
          PID:2216
        • C:\Program Files (x86)\LP\26FD\AAB.tmp
          "C:\Program Files (x86)\LP\26FD\AAB.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1612
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3044
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1812

      Network

      • flag-us
        DNS
        csc3-2004-crl.verisign.com
        Remote address:
        8.8.8.8:53
        Request
        csc3-2004-crl.verisign.com
        IN A
        Response
      • flag-us
        DNS
        ri-ang.batarryreanimayion.com
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        ri-ang.batarryreanimayion.com
        IN A
        Response
      • flag-us
        DNS
        newworldorderreport.com
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        newworldorderreport.com
        IN A
        Response
        newworldorderreport.com
        IN A
        198.7.57.33
      • flag-us
        DNS
        ner.kolabatory.com
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        ner.kolabatory.com
        IN A
        Response
      • flag-us
        GET
        http://newworldorderreport.com/img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        198.7.57.33:80
        Request
        GET /img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
        Connection: close
        Host: newworldorderreport.com
        Accept: */*
        User-Agent: chrome/9.0
        Response
        HTTP/1.1 302 Found
        date: Sat, 14 Sep 2024 18:26:54 GMT
        x-redirect-by: WordPress
        location: https://qltuh.algiedideneb.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=critart109qc73bmqo50
        vary: Accept-Encoding
        content-length: 0
        content-type: text/html; charset=UTF-8
        age: 0
        server: Apache
        connection: close
      • flag-us
        DNS
        h-by9ygp37.batarryreanimayion.com
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        h-by9ygp37.batarryreanimayion.com
        IN A
        Response
      • flag-us
        DNS
        czk--1ih.kolabatory.com
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        czk--1ih.kolabatory.com
        IN A
        Response
      • flag-us
        DNS
        TRANSERSDATAFORME.COM
        AAB.tmp
        Remote address:
        8.8.8.8:53
        Request
        TRANSERSDATAFORME.COM
        IN A
        Response
      • flag-us
        DNS
        www.google.com
        Remote address:
        8.8.8.8:53
        Request
        www.google.com
        IN A
        Response
        www.google.com
        IN A
        142.250.178.4
      • flag-gb
        GET
        http://www.google.com/
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        142.250.178.4:80
        Request
        GET / HTTP/1.0
        Connection: close
        Host: www.google.com
        Accept: */*
        Response
        HTTP/1.0 302 Found
        Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGKqrl7cGIjD6NS6yEA53Z0c0f4QOONJGT94kmgsp6R1Y5EP6j6SG0tOK3k82dTSK-CSXVBLqa68yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        x-hallmonitor-challenge: CgwIqquXtwYQxajgtAISBMJuDUY
        Content-Type: text/html; charset=UTF-8
        Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QeR4ivXXaeAR_zKDYN7paA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
        Date: Sat, 14 Sep 2024 18:27:54 GMT
        Server: gws
        Content-Length: 396
        X-XSS-Protection: 0
        X-Frame-Options: SAMEORIGIN
        Set-Cookie: AEC=AVYB7cpdEork2ryt33rgUHQ0AmF6XbNlDn-Q63Oju4Xxn3uhfWsj6Ot2GEE; expires=Thu, 13-Mar-2025 18:27:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
      • flag-gb
        GET
        http://www.google.com/
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        142.250.178.4:80
        Request
        GET / HTTP/1.1
        Connection: close
        Pragma: no-cache
        Host: www.google.com
        Response
        HTTP/1.1 302 Found
        Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        x-hallmonitor-challenge: CgsIrquXtwYQ5tTebhIEwm4NRg
        Content-Type: text/html; charset=UTF-8
        Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Pn8EAZO-i-sOkomzWI-nGA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
        Date: Sat, 14 Sep 2024 18:27:58 GMT
        Server: gws
        Content-Length: 396
        X-XSS-Protection: 0
        X-Frame-Options: SAMEORIGIN
        Set-Cookie: AEC=AVYB7colVOus6NTIqACdxsEsXIl6It5NfHGLtJV18xTMI-4YCtzb93x3-g; expires=Thu, 13-Mar-2025 18:27:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
        Connection: close
      • flag-gb
        GET
        http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        Remote address:
        142.250.178.4:80
        Request
        GET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
        Connection: close
        Pragma: no-cache
        Host: www.google.com
        Response
        HTTP/1.1 429 Too Many Requests
        Date: Sat, 14 Sep 2024 18:27:58 GMT
        Pragma: no-cache
        Expires: Fri, 01 Jan 1990 00:00:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Content-Type: text/html
        Server: HTTP server (unknown)
        Content-Length: 3052
        X-XSS-Protection: 0
        Connection: close
      • 198.7.57.33:80
        http://newworldorderreport.com/img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D
        http
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        398 B
        521 B
        5
        5

        HTTP Request

        GET http://newworldorderreport.com/img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D

        HTTP Response

        302
      • 142.250.178.4:80
        http://www.google.com/
        http
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        446 B
        2.8kB
        8
        7

        HTTP Request

        GET http://www.google.com/

        HTTP Response

        302
      • 142.250.178.4:80
        http://www.google.com/
        http
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        359 B
        1.5kB
        6
        5

        HTTP Request

        GET http://www.google.com/

        HTTP Response

        302
      • 127.0.0.1:63939
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
      • 142.250.178.4:80
        http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
        http
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        526 B
        3.6kB
        6
        7

        HTTP Request

        GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

        HTTP Response

        429
      • 127.0.0.1:63939
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
      • 8.8.8.8:53
        csc3-2004-crl.verisign.com
        dns
        72 B
        127 B
        1
        1

        DNS Request

        csc3-2004-crl.verisign.com

      • 8.8.8.8:53
        ri-ang.batarryreanimayion.com
        dns
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        75 B
        148 B
        1
        1

        DNS Request

        ri-ang.batarryreanimayion.com

      • 8.8.8.8:53
        newworldorderreport.com
        dns
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        133 B
        222 B
        2
        2

        DNS Request

        newworldorderreport.com

        DNS Response

        198.7.57.33

        DNS Request

        ner.kolabatory.com

      • 8.8.8.8:53
        h-by9ygp37.batarryreanimayion.com
        dns
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        79 B
        152 B
        1
        1

        DNS Request

        h-by9ygp37.batarryreanimayion.com

      • 8.8.8.8:53
        czk--1ih.kolabatory.com
        dns
        e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
        69 B
        142 B
        1
        1

        DNS Request

        czk--1ih.kolabatory.com

      • 8.8.8.8:53
        TRANSERSDATAFORME.COM
        dns
        AAB.tmp
        67 B
        140 B
        1
        1

        DNS Request

        TRANSERSDATAFORME.COM

      • 8.8.8.8:53
        www.google.com
        dns
        60 B
        76 B
        1
        1

        DNS Request

        www.google.com

        DNS Response

        142.250.178.4

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\D3A8D\D11F.3A8

        Filesize

        696B

        MD5

        12b1524d5543bf26db395773ca57a5a0

        SHA1

        d84034890066778cfe8acda3dde6057315a39d41

        SHA256

        a1c27bd3273ae106728f45bed2a6d6483c67ea0470b10f942d37ff6dee6eb3a7

        SHA512

        1db86c9c46b6a77551bc97711e83079b842e22f5463dd0da0991eccba0d40e7baa9ad7cdf699a7595978985480cbddcf05b4117a347a295c3fef2fc1ab4c6387

      • C:\Users\Admin\AppData\Roaming\D3A8D\D11F.3A8

        Filesize

        300B

        MD5

        da1d87b8cef010df2fd19c6495d7fa1f

        SHA1

        6dbd41aee2aaa3af9cd0485b47f57bc7cc0463af

        SHA256

        cd06cb380e29ad87f806d2a1dc22bb09b9994f6a467af7bfa5ff83b693c18802

        SHA512

        c89b08210b9c234e6f3922b23c1dd182e6fe969bafc2df878e5558f186f50f65f457ec86d9b9d34fa6beff832f4f9c73aa036c4fd2a56ab983d342e32f4500a9

      • C:\Users\Admin\AppData\Roaming\D3A8D\D11F.3A8

        Filesize

        1KB

        MD5

        89e175a43758d4ceeed96fdcc1a52c6c

        SHA1

        47a1e8d5afe53f5342b1b1f7bcda405462094bc3

        SHA256

        aefaee070e91289c0e19ca6cf34d881a39a260e5948ec1833ad53a12c3878513

        SHA512

        a029c2e335179aae6979f97165be0304baf8f78d65da54e35c0d98a8d2525728483782babd394cb0e2884c35c139eba9ea04f13ceb892b6fa5facbf956988978

      • C:\Users\Admin\AppData\Roaming\D3A8D\D11F.3A8

        Filesize

        1KB

        MD5

        75ea1658a1927b258e1801e49318261c

        SHA1

        72768beba35d59d42abb75af81abc035c72fd613

        SHA256

        ca579697b7257e0ec6b7deb690e67345d592ee4bba2904589f3821939e62f8e1

        SHA512

        d71a34fd0ecb9a5ecafb3546d4c3074fffeb6903337d1c896b8ff291603aff4e2380ac1a136f148ef38452b810cb963cd26f1d03119dc4bca3bd539d5e95784f

      • \Program Files (x86)\LP\26FD\AAB.tmp

        Filesize

        101KB

        MD5

        9830a063d6a451099715cfd584204e5a

        SHA1

        175d36b11f755dd1a10b317f473c4c0de261b9ca

        SHA256

        2f55100d9b31d4e69495fad29d831e7f1310f53089081da251ff52bf8b83ab28

        SHA512

        c4aadec9e09277a4819e70eedeb9fb80ef4e6e982c3abca0479ba96f54c5748970a7c431de21996cee66dda86835db998fe22c822b1e9ff81d3a9256cd1f4f17

      • memory/1304-116-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1304-10-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/1304-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

      • memory/1304-7-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1304-239-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1304-2-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1304-293-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1304-294-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/1612-240-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/2024-12-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2024-11-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2024-9-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      • memory/2216-118-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.