Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-09-2024 12:38
General
-
Target
f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exe
-
Size
278KB
-
MD5
f3a8666ace25d0597e31c0a40f424e07
-
SHA1
4fd33f59c16dec746c493d123c44f1ea443512b3
-
SHA256
682f020d5d5028c8dd87b0d61de06df7de6658340aac65cf64abea359fa188fd
-
SHA512
14befc8134043ec3bd90e2178ca6ffc5e54de26a1c1f1c32e25a3a2e7d5e980309fa87acfb3a6e12c5b63b37621c9a0a96c1adb1b41ebf176f011b5dc6b946f3
-
SSDEEP
6144:upwR0zzOv/+iqBMZRRWPL4Qm4MTX2ef6cv3:GwR0ziHI+cLzXA2eyU3
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3E28B\7BED3.exe%C:\Users\Admin\AppData\Roaming\3E28B2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\D3A3\34F5.tmp"C:\Program Files (x86)\LP\D3A3\34F5.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f3a8666ace25d0597e31c0a40f424e07_JaffaCakes118.exe startC:\Program Files (x86)\8BBA6\lvvm.exe%C:\Program Files (x86)\8BBA62⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD50cb09d0443d2eda312058ae1a2fa83c2
SHA11888844fcab4269a5c08b5cf122b100e8abb3cb0
SHA25650a9af2fe05dd06d6ff825bcf2106b64385e7fdf9a06a0a18ac187c4a057503a
SHA51293bfdc4d14a7ba7cce25d0a83faa29e0efa7932f3024aa82fcc1d606cb9a65e0ebd91942ad9992ce787f639df1748fde9599cb9b676245a17a8198064df2e24c
-
Filesize
1KB
MD5fde87b50a8684c47e26739e3e8bd13f5
SHA178ce1870524ac1cc37d6502164f8755b406ca001
SHA2562b1c0f496df38e2691877e76f88e7ae1ddd082eca0957698252f433d961ce2d8
SHA512e1530fd4c23eb007c70f8eb6bc3265a765b97ac501b71fc5dae98cb4676705f093077d2429d64ce6608d9dd277ae55e8fad182b6ad17a9a102cb471f3943b58a
-
Filesize
600B
MD5205a074ee819a3551debfbda7f4d0fe3
SHA1a85a4a1d66724fef25b94a6e355420900a2f357c
SHA256d3bc2f05203f6470abbeae4c936504d7baf3f2b4f4d2893253dae5faae41b9de
SHA51201c9363500816315f5d48f3eaa5be61afe468ac277c2d585c52cde8ed1de47a72d66950f8d4fcff046a5b0a2042ddcb2fedfa31523e76e6ee6fb0fb10eacaeee
-
Filesize
897B
MD518a201701f603055f807b8ee732d1709
SHA1fe91b953a663481d381f8bb517b9d648388879e2
SHA256189cfbc3a986f13f5ede8fa2210728bdb85f7f2312f943e42a8778135c33d5e7
SHA5121a12d6f4d5c7ad9493930dae82dbd4dffc332e68b9a425001f9faaf0605e5e9b2186270b122eaeee0cf4aacc429db0b9ca685b4d8aa627568d8a7d00418a3026
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
408KB
-
Filesize
420KB
-
Filesize
408KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
116KB