Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe
-
Size
93KB
-
MD5
e159da294ce5b65f9fc965ef215dd05c
-
SHA1
e76430ea8c4da9c066d5cccc33383ce722075963
-
SHA256
2cd8c1cfae837fe26ca7f4059d64378648a2d151415b6dad8d8264ca0db44aac
-
SHA512
ce8cb836ad9946b24fed992b1cd098d357539338eacda9bd95c366c013f645408ab0f3662b2737152eb89a50f4ff7a486f3c73fd1ce25d253fb7805c8c4c64cc
-
SSDEEP
1536:wIIBLQ48UElI7DA/5cKpwCV56udBTjmkwu6TsnesCZ6bt8JGeET83YWYrsCKra98:8U3UElI70/5cNCP64jLFResa6b+JGeEE
Malware Config
Extracted
pony
http://176.28.18.135:8080/pony/gate.php
http://85.214.243.87:8080/pony/gate.php
http://88.85.99.44:8080/pony/gate.php
-
payload_url
http://www.stablerkraemer.at/15Psv3zJ/4ah6NuS.exe
http://www.grupozear.es/5PYpsVTJ/mPt0Zx.exe
http://www.angauto.com/X1Peab6k/RdF.exe
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeTcbPrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeCreateTokenPrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeBackupPrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeRestorePrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 3596 e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e159da294ce5b65f9fc965ef215dd05c_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:81⤵PID:2896
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request170.253.116.51.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
170.253.116.51.in-addr.arpa