Overview

overview

10

Static

static

3

ed84951d1e...18.exe

windows7-x64

10

ed84951d1e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe

  • Size

    314KB

  • MD5

    ed84951d1eb267601da8d387c2a04234

  • SHA1

    caf96bf9e531c2f87496f8b1e6e92f23359558bd

  • SHA256

    a89bbb28d4ae43982a06ee14c18103dcdb3121a86d6c064499ea89645cb1150e

  • SHA512

    ee1bd51bdb449e9802ea483edba0a3d064c90c85b6d04b399ceea965dab3747964637fade487e970bfcc0bb98c6ada211abbb2941712168a13e6f3572a1aa475

  • SSDEEP

    6144:2+jqTGmHW+yPYHvv0WRHFrqhqWF4YGMtpSXoG/A/Y8OBkWV6YTpO2fXmYigTmwpu:pqbyQHvv0WPuSmZGA+ZdO2fcgTmXX

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3956
    • C:\Users\Admin\AppData\Local\Temp\ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\BDA17\8358C.exe%C:\Users\Admin\AppData\Roaming\BDA17
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2488
    • C:\Users\Admin\AppData\Local\Temp\ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ed84951d1eb267601da8d387c2a04234_JaffaCakes118.exe startC:\Program Files (x86)\173BD\lvvm.exe%C:\Program Files (x86)\173BD
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4684
    • C:\Program Files (x86)\LP\8C0B\1112.tmp
      "C:\Program Files (x86)\LP\8C0B\1112.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2060
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5096
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5012
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1140
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4804
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2352
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2660
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4412
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3580
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3316
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:340
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LP\8C0B\1112.tmp
    Filesize

    106KB

    MD5

    935d252de43cc52d42d8c5fdc7676106

    SHA1

    966be71764ce145763aec024eb68448fb1981a99

    SHA256

    8aa995d7637c52067ca57bc7017c2279ab7b427d55634ef5effab4bf2d9e9807

    SHA512

    dfbf507852bb7771a6d56b35ece4e1391ab56f7d3501ffb1f452b5acbf1c6faf76b6607893c96ee0663c1dd25f85dbece3a32aee52225ec09b8ee3db6440886b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    471B

    MD5

    109b0900e7476ed981f16034b342d64b

    SHA1

    7abe77549520d523d52115a4bc97d78357af6699

    SHA256

    97a89e0b088fcaf6c8e44cbb2b05701b99c4e12619539e91dd0303a58b282257

    SHA512

    1afc2e959942ff517a35f47b5cce3fc7dbc731a61922acc5c0522854e7aac6f428e467609c88f93db3ba01efe83f18a165c5e2b5f7497fbfeb6de0b8eb3f3e63

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
    Filesize

    420B

    MD5

    01f8fc268dfc9e75a897b48dcd5de47e

    SHA1

    ec17bd9bc6b6a4ee62ae38c40f9683a6d708653d

    SHA256

    510407d489a346b14834e14cb8f8c046b64a8ac55d6f00adee351596fafc3d1f

    SHA512

    96f5203f8f08bd13a6cb11541e81e9d0a901130d00528f1b3b71c63aa586cf0149a425a027906abf3559f7fbcc2f750d1711d35956d378f68118b3f52a6c862c

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
    Filesize

    2KB

    MD5

    bcee0b607c2ba80b079a43c7223196c3

    SHA1

    2e6478021ebe4a7318d9b40b87734456f96d5625

    SHA256

    04a96e66fad0d4bb4a62851048f60499d5dc0bcc973adfc55f7475292d411096

    SHA512

    0c586f80c870a7fc0c3893aa73ea4ecc545a087bf301a231f3de0363f9c3ddecdc168ec04bb535c568c2bcaa12d74ac473de84d4966390ffe2416a4e7ae57fdf

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133713066631299460.txt
    Filesize

    75KB

    MD5

    24bf2dfdef426216c8ad66c657b1a325

    SHA1

    d2b91aac022f2bdf0fb165316006164f5e5f1367

    SHA256

    0e1dbec5581bcb6dde4cdc64b61552e7b4029e1ca426fac30e1b3b6b80cbb13a

    SHA512

    0640efeb590f483c7da7d616f8cc08db3e4cfd629b77e7ccb75c5d776c02d9d61b5235d9ddd8940e6afc93e32b27bd6d62b68b0d2fa64e8df4423257d67fcc4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PNRCYTYY\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    5e22ac0cbcc2cfca04d1b6983de47d88

    SHA1

    2cec1efb9cc1a5882ea7880bfcbe947c3361c37f

    SHA256

    15c78df0dc6078f22a8655187b6bc79f1142f5ca86fc151e361b748b119bdc4d

    SHA512

    fe181661eb50f5460f51015d576f688ffd9aa9a9c8e2dd1308416a15e2784d5fd1c0dfb3e2819c357c999aa9be208b372b185616e17c3691cf798e4e861bf870

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BDA17\73BD.DA1
    Filesize

    996B

    MD5

    071d83a487b5f7d847baf6fea2ab7a76

    SHA1

    d88dbd3f2f4b6da320c62e6c3c652e0e44fd078d

    SHA256

    fbfeca909aa0fcea841c5e0378e4f8a9850eeace8a1c14b6d4326d56b3f2579c

    SHA512

    9f22f904bb269ab5ddc1d3a90acaad1ed8b8b080e8798dc40673ffef950b54ad016cfaedf36a87ce4ed3eec9965b684cde923ff7f5f39a1737370f9298c6b333

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BDA17\73BD.DA1
    Filesize

    600B

    MD5

    7166b85031499717b487f905bc279615

    SHA1

    4aa794a408d1115218cfdbb704e28f76ec1c589d

    SHA256

    412f70ebd335acc9b7476ab9adedf3066a35fbc33e8674f9f39228e0a88ac1e4

    SHA512

    dd4fee678f46da1dae1fa27419964afa25269ab794908a57126f8b93b43bfff10bd0e18a1801b162fc89fb5ad52f0660f1c4ac3e522375cc7754605b1ca95e37

    Download Submit

  • C:\Users\Admin\AppData\Roaming\BDA17\73BD.DA1
    Filesize

    1KB

    MD5

    6b86c8bfd40018f86074374d135b1ba7

    SHA1

    dce96b344d6e47e9051649e3f518c3a03dc7b5f0

    SHA256

    bc716a26b1fa132b9767a238b89ab85960072dd9207bab60c5e2ba3c7f4982f7

    SHA512

    eaa1d4aaa67e2d69a4f355e7ab3bfcfd66efffaff52cdec7f6e6e3a491420053fb319809c2f1d7e707989533e2cef5d5bd9222dd844689a6663703ac7ba07c77

    Download Submit

  • memory/2060-589-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2488-16-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2660-286-0x00000000028F0000-0x00000000028F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3580-288-0x00000283F3F00000-0x00000283F4000000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3580-287-0x00000283F3F00000-0x00000283F4000000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3580-292-0x0000028BF6020000-0x0000028BF6040000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3580-320-0x0000028BF63E0000-0x0000028BF6400000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3580-304-0x0000028BF5DD0000-0x0000028BF5DF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3956-13-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3956-620-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3956-0-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3956-126-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3956-2-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/3956-590-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3956-3-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3956-15-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4236-442-0x0000016EA1F00000-0x0000016EA2000000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4236-469-0x00000176A4620000-0x00000176A4640000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4236-457-0x00000176A4220000-0x00000176A4240000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4236-447-0x00000176A4260000-0x00000176A4280000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4236-443-0x0000016EA1F00000-0x0000016EA2000000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4684-129-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/4684-128-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download