Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15/09/2024, 00:12
General
-
Target
e15152970f895f791d308e15b6257d8a_JaffaCakes118.exe
-
Size
271KB
-
MD5
e15152970f895f791d308e15b6257d8a
-
SHA1
c51816753debd5f0fb0867caaf4c33ab7aa4d5a2
-
SHA256
a26d8a96cb183a283c0bb67e967d42e286e1fa5da441c1ca66758fcaacf04887
-
SHA512
ee663b26dc8904dba6f938c0afc1c1e5b26a71e771908556c6b029e569bc188d84081d6d5a13c7bc8b8733796a9525168ffd86e62723a5edd0026fdf9a4f3085
-
SSDEEP
6144:YSQbZw05D4+XumMrC9aE0vaf32Zk/M8DoFv6kzih0c:RUZPD4KuxgZx8qM9bWS
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e15152970f895f791d308e15b6257d8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e15152970f895f791d308e15b6257d8a_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e15152970f895f791d308e15b6257d8a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e15152970f895f791d308e15b6257d8a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\DB715\DBD8E.exe%C:\Users\Admin\AppData\Roaming\DB7152⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e15152970f895f791d308e15b6257d8a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e15152970f895f791d308e15b6257d8a_JaffaCakes118.exe startC:\Program Files (x86)\15AE8\lvvm.exe%C:\Program Files (x86)\15AE82⤵
-
-
C:\Program Files (x86)\LP\8E3D\3E86.tmp"C:\Program Files (x86)\LP\8E3D\3E86.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5f7f6348dedcff04ecc7b28665afe0bfb
SHA1695849c90db08648bc904ef4c99a83d2d260ddfe
SHA25682754cf04fc1fd2abc6a555347221ac149a176155a145efb7c739c6a4c221283
SHA51276231a86a29eb1148523f63eaf7a7ae135a7a195876c8c1c996f53474ab05d8e4ceaaf94879c53028beeb6997ab2c4aad1b811a93768d416bb91b3bb24b715d0
-
Filesize
600B
MD5375990cc5037805d8854e87c54022177
SHA11bbc566a63ca0052ebb633ecc52f1369910fa8bd
SHA256939023b78f7ce4a4e5823de6a1626ad0101e67f4ee0f8f876f92d7173c3e1b39
SHA5125f3e158889251742c67e2b6697e90c5e1f28245ed36b315b2bd913bcd548adda03d2e9a960c66123c9cdf5d5bf0cdc56a9b9ae723284ab4bc6ec9ba4c99cb554
-
Filesize
96KB
MD5d8d5f87f9f7c9686a7b47994d4c8f0e8
SHA171e9f4848fe8b08a5fd29b28fb2fc0f84ea31be6
SHA256fad3d3f0432b42f3045f28f8c4a4c171d90bb354b942608f5e3f5bd7e032ab2d
SHA512fb5c9dbda636fa5eaf76db0df3cc850e148043dbd2174dacea47f762c7352d13362d6f2b6d4aabed65128e09d7eb4402ffdf300fb050bfc033ddfdcdf1b79d99
-
Filesize
108KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
412KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
412KB
-
Filesize
420KB