Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17/09/2024, 16:58
General
-
Target
e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exe
-
Size
277KB
-
MD5
e7497d5ebdaf566996b973fcbec7742c
-
SHA1
6ea6c4511662ae5173727479cbf7d89d8f47e36b
-
SHA256
ff3c7a048129c73515dfd9678f05562f6b91e403f195a761c733fd12d9d0335a
-
SHA512
b1ef69ef7c5ab8e8e81f916bdf1e48252800b8c978859e3e1ee37435c11ecd6062f3efb599057e0285f188bdb1023b6d70f14f8a8d085e5f4fa7ef6616745cfc
-
SSDEEP
6144:vyMCJbcR0pssejZ6IF2difvWjW8BJwR7U1v3Pm0G98XfvBgD1i5PdlZvH:uJQnsej32dUvxNR7UZfm0G98XSD1i5Pp
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\F4362\E4023.exe%C:\Users\Admin\AppData\Roaming\F43622⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e7497d5ebdaf566996b973fcbec7742c_JaffaCakes118.exe startC:\Program Files (x86)\62349\lvvm.exe%C:\Program Files (x86)\623492⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\231F\B18.tmp"C:\Program Files (x86)\LP\231F\B18.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5fc5eed2b86baca41599572ec75127781
SHA154e1f3989be724e956293a9ee1a40b62db9e2746
SHA256da57e71a76c292777701f9d16bdd2525ae091186b0ae250de90acf2a02559709
SHA5121e783d768357045b1e48a8ab11fb381eb4e6b9f55ae47d77bdb2adbb459f346eb95604ad9a78851c01bacf281597106b96c0d7fa56ab6e8c64a970dfa56a191b
-
Filesize
600B
MD504c091c93cd066f167eec371b7f328f6
SHA136da3ef7958daf9bd3b9f3d2f04eff90b5e1e154
SHA2565bb73cc583b2911c86c989b625bc9a60b46307a9abbcc2f132e0bed8c663a38d
SHA5124684a0722801f1bcf4c3206a81db148764833a5e5cce2703cb72935fb22c2f3895f780c8af9858eea8e049aa7e75a2e37b60bad2edd65a8a9ffe1f1f2049dd32
-
Filesize
97KB
MD59c5a144f16fa99b5ea31ca540aca2ac4
SHA19284a3bd648915e43bb250d25314a5d81139e122
SHA25645a95ee5dcb9bc5acc36e3abf9d8c6dd758d2e317f3fe987a70f78d3170660b5
SHA512505149617122c4f67534971b724ccd9d96154117d29ef11fb708993c24892f5ca47e395fca26314b2da6060e5f805305c0d298956f4c8e17bef3fc8b3af0bfac
-
Filesize
108KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB