Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-09-2024 15:52
General
-
Target
f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exe
-
Size
265KB
-
MD5
f254ad4e1b293202c9ae02fba34dde68
-
SHA1
e8d237d58d17bcafad902259f09385295d30e92d
-
SHA256
5e026db2218f9982740a534179bb2d94527bef9b324477f1e6ebf7ab7c252249
-
SHA512
6f266ea63b73bad12fe3d9c0b15e106d0477fbfcb1681848dd20d93ff1bc4aeeac6b41db2c59407a47629b8abb722118761e9c0cd754873cc5ab831a566ac653
-
SSDEEP
6144:35BzNdpotTi0/VQn+/3kX5DSq08X+hRhaeBKPvQFte30ysUyKA+1tlko:3vN72TiGSrJDJ08X+RwPvQ23pY6v
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\BF4D8\94FC8.exe%C:\Users\Admin\AppData\Roaming\BF4D82⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f254ad4e1b293202c9ae02fba34dde68_JaffaCakes118.exe startC:\Program Files (x86)\D8C7C\lvvm.exe%C:\Program Files (x86)\D8C7C2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\C88B\D46F.tmp"C:\Program Files (x86)\LP\C88B\D46F.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD58bb038da58babe6ca9330566b96bfe8f
SHA1cbb9b39c99df0da0988905434b27be0849218028
SHA2567904e250c161a3f2d2164ef495eaeeb1b457c6dd6c6aa8e72c1a0a621fb4fcd4
SHA512ae3b888f40ce80b427964b8928140a32853dd3cd8f0f90ef3dece6f3cb02e708301749673513500e6c0eb3479e4517961f2d437c75ce3aefec8b2ee2f1c951ae
-
Filesize
996B
MD5bdc2d444c71202e2c07a3b07d23a1eb6
SHA105253c6468042bacb50403fab5233ab6f13c2fe0
SHA2563e4984696c60f6bf69fd5fecef30069bbe5238770a1cb6c86531e00b9e29c7c6
SHA5126bf2ec8f9d992656ab285606302a94ef8c487fc17d61393bffc896eabcbe3ea73af47d59baf544d80f05cb522b71925368ad54dfbd05c301f51f985709e6c9b0
-
Filesize
600B
MD5f120607deee0fb53ddbc91ce5c9b6aa8
SHA166ee50451e4435809541ceb2598943ab1321246b
SHA256e96bf2fc5a529f883d9e2202e97f035f30fc51b275134d517127e6eea2dbb237
SHA512fc110f976d2e0bb320bbc8c916b23e4dfe5f57e4af4c7dab5ebfd70b30287848341d37393b38035d32bea0b05ef1d0d01effa19838c938840b8ed984d1822b6e
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
108KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
428KB