Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-09-2024 02:17
General
-
Target
f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
f75717d817eaf1dce81074e7daad9262
-
SHA1
767162ef5358074624e7f9331c5df24cabd3f219
-
SHA256
e11460d4bf65827d58d5790883be3993a28e56840f5133bbd91f2a75c42d6513
-
SHA512
c1fe7cae0e1b53aa73a04850df2cecaf4fc8fb0535089b40eac7559b4757b27bf9b0c387b6bb18c97ab99f704e0f863d3f6f8f786ab026a7ee2e68b5d3027e52
-
SSDEEP
49152:IBpgkDhX3jLu+T2nVnmnRMV/lTKcnTVLnKOvnnWNT:o
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 26 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 11 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 25 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f75717d817eaf1dce81074e7daad9262_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\white.exe"C:\Users\Admin\AppData\Local\Temp\white.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\mrace.exe"C:\Users\Admin\AppData\Local\Temp\mrace.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dwme.exe"C:\Users\Admin\AppData\Local\Temp\dwme.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\dwme.exeC:\Users\Admin\AppData\Roaming\dwme.exe auto3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\AV Protection 2011v121.exeC:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\mrace.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dpmH5sQJ7E8R9Yw\AV Protection 2011v121.exeC:\Users\Admin\AppData\Roaming\dpmH5sQJ7E8R9Yw\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ready.exe"C:\Users\Admin\AppData\Local\Temp\ready.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\ready.exeC:\Users\Admin\AppData\Local\Temp\ready.exe startC:\Users\Admin\AppData\Roaming\03311\AC432.exe%C:\Users\Admin\AppData\Roaming\033113⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\ready.exeC:\Users\Admin\AppData\Local\Temp\ready.exe startC:\Program Files (x86)\11E36\lvvm.exe%C:\Program Files (x86)\11E363⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\32F0\9627.tmp"C:\Program Files (x86)\LP\32F0\9627.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD50892695fa35bdde9927774c50e9baf59
SHA127b4506380b6aeb2bd2f1357b7dcc67f56b51047
SHA256be2ce6130d53993dac515e9d8eb0b92407c56802b3185d0cf87034ad07e0b25b
SHA5125ca4ec8553c73481c15758e0d91ebf087ff3de7e6059dcf87f25c334591ddb047d1ecf0c5fe9e08f6c88db981fd120401123eff3981390270ed28624bea2a0b5
-
Filesize
3KB
MD59a4e4486de14cf62932629508d3ee735
SHA1c1c699f533487b1f058751cceb7be1e6cdd7f37b
SHA2565bff863bee1fb0e087b8791ac5eb2ed3d98a49102c3ff86e3272b38ad903404e
SHA51256627047dc28b74c8a439495122792573286e4f8c2967584cbbe50e1444d663a33e9e2906d94e521f2509a3aee8fc444d796c251c1274666c73f99de26aa000e
-
Filesize
6KB
MD5e4cc0864d952b5dc9a8e82a3d5749a0d
SHA19fcfb189c789768469b76256ee99cb5e368b3b7f
SHA2562b4180a98e93f65f8b992e5aecfe794e2d890c71d9f86b699eb994caed8afc3e
SHA5122a14ad904f3407cb3cdcbaf9efef3d76318c9e3f0e488427a6e497bc09626aee785644da95f3c2bb6350cf114c26aaceb908a6228a6e3a0fcfc3cd9724e746e2
-
Filesize
13KB
MD56cc813f9b3053662e8e2e787ae508c07
SHA1aa8bf474c128102fe9a4375b931c76557ec66d08
SHA2568ba534e1b11360cc428b1a6d39c0c923a0e4879eb5e5eddc3b746f18ca003a6d
SHA512ce11d07bd8ba98e3f47ea7d1bc6d089b28f18e19c8069de5ca6115d356d41d08c58bcd8cd5c58a2b196bcab7b45758e03d041a2745797c47460600dfd02dfa36
-
Filesize
14KB
MD52531c38d6be14a78764a32d2fc5d455b
SHA12e1e0a79fb69ecddae2458bef617cafa1db704b7
SHA2561a928165ba149a0fc842f83e11a55e513dd345153e1cf4fa30e340e7150c943d
SHA5122629073c765c4adeeeda348996c70ddb389159f81e01e004d8402242774070e4fe53aa21635a9e72db13320504608ccf735946483926def5af8d8f7a5761ac93
-
Filesize
9KB
MD58385bf8cd7f127bb19a5f45196172d1a
SHA11b4f64ee9665680657180f825058c52277dafd14
SHA2560c1a109959f5543637e10f2af911a2687c467aca3ececd9cd473d3f32d473836
SHA5129d11d71047a259acbeb293f1f316ecc43b2ab09621c32a1dba0be597ca94b1ff7fa3fdf45f4a01e95148fc6a749c62fe52791a9dbb66e85a4e58c959631a1c3f
-
Filesize
9KB
MD50245f12a46aa981eafa0f10cee085017
SHA12b459c4262fc5f88b93fea3a7536d60573b93325
SHA2564169291376ac8c329a72fbce2f67a73b022db6f3c9c96e9d3c181dacdac2c3e1
SHA5122567b2857b52f665b9ed3ab642d15b58a2e97f338cbd9fbd6250fb5ae104cf703e7a4d878bc6d8dcb906a537d99b19bc001514a627e97450344c5f69e828d18e
-
Filesize
14KB
MD5259a8d3ad888cbcb252f4794fdbf67db
SHA155822a43b09cc79d9f1fa79199db216c7bf05714
SHA256eb5c7c97ffa33e21a63e6815bb44d9d75ba21dec2f199c68457f014c68a44e4a
SHA512dc975cd8d963358436b8430dc92c0b4246a07348d5435804335c855a7de1625dad686f150c2058bad75fc43b898033630d7827cb02e5f08c3c2acab22d94db5b
-
Filesize
9KB
MD53d1e1165023417f138d0391e6dd3989c
SHA122adf9e91dd3eede677436a73e675688ebbbbd4b
SHA256fcc41d0799711f0a2a3ceebdf4da6aa9fcd4c3e204a29e82371573165ba15a23
SHA512aa6bd1de09f97c00805e11c3f403c443047e82dc57a241c8f35a77acfe749022e85bbfc233f540bf630788a50ed962030bbbf7b584c8c1819f69a97f32ffabf3
-
Filesize
6KB
MD5af00aab327e33679235de5a456547f24
SHA18c33e37e9343fc553472df974ae8993bbaf3e168
SHA25612c5fbe07d2ff84765532ecda72e099a92c47b56e5dc55633649a7e9573baa5c
SHA512d3ced6191e0c9ec12ec626f248ed20bffa26aec7683322841c919a438846b21df29525ae5c9fcaf5736b461f250072be54621432898a4a26d92bbc319109dbce
-
Filesize
9KB
MD5e22d9f2a7e7fddab9cb05ca63d9d28b8
SHA165e4c5f1b6d6d0f47f1d016f06ff16b663601370
SHA256436f298462058002ef4358fda5294a8fef5a587af7681c6d27386b0e127b4c8e
SHA5129d714d9017f8d0d88ee8214b58294b0f3b0248060bb2ce5dea1b8c18bfc11168b637e777046ab2c936ce96e5a2f2d355235da1ee0508f7cb350951b98c22efc6
-
Filesize
13KB
MD511d4ef2d2274dc2b2997a9d8b2236927
SHA161748b3f8557131f166204104b36a2c6239ef6f0
SHA256bf98c73b850b220124c503dce46a4efc4c5c9425678361bc31165118008e5dcf
SHA5128807d68552d50680b9ac5aa705b81561aeaeccd68e78c76cae55362bba5a6018a87fe36cc649b08de27e0d08bea1c32488765b80711f9a9e232686453cfa5691
-
Filesize
3KB
MD5860d8826f614920dc5b53b003c46a334
SHA13a1a3dccb5a98985d5e45ce4d275f0d10dd8432c
SHA256c84bba2ae4755636014416f755ea4bc587b69002e690dba585bf66308159b15f
SHA5122d0436926941baca87099fe3444946d1a9b9b3979f29e2a2711dd3efd51f73cf9a3e6c82db08f400a577da1263419f0b293de4be9e0f45501c7cef4cec752515
-
Filesize
7KB
MD5a4769d88270ef5eb614804ae06408772
SHA129a5e08c2a8f48445fa6929cca74ab0c2d0eec55
SHA25646104ba5128ff3296f7407dee1294b01f8fea57b57de15fc9857f7c37da1a0be
SHA5123a7e4fe9a7ceafbc0bb7c2abeee404fac87e2961d789a8becbac8b951618e4f3844e6860963d9b3e0db3ba69ee78e768ce1a2ffd399ef979ed40040166ed6954
-
Filesize
600B
MD53a7b6e15d0323f2e3b59d1ceb409d174
SHA1f9b5dfb664faa357091410f09963417a1c585633
SHA256a9e9a67208e95185decee5aa9aecaf4ded4f8cd92aec9adda3e1ca0b4eed7ad6
SHA512bb63130526ee446dec6cec185002e30e5984ee6a853bb0572d46d804f37ad936b0f6fed97bbd97244614edd029faec31f7e7a71dee230bcfc20489a387e6349b
-
Filesize
996B
MD5767b3ba020ae62fbbe5eafe9f645b4c6
SHA17334289c0f33ab570adf7bf36f911e6fa15d0567
SHA256999d9824b2658317c86a7052bfe7c58fbcf569db4914ce7081d9bf94037018d3
SHA51227caf9edc5128eed377343ac84db784681833925c316d1c107f267d657d6127f77c22aaff10fc2c468e53bfd4fb346b3a7bfaedc9aa92fba5d57a821b3449943
-
Filesize
1KB
MD5caf6a1e23b02b66869fae7e1e989250d
SHA139161b604381fae27ebafe7d730ab832ac85579e
SHA256126db749562984e46488cf5e308727cc5803157b0eda7426cee80cf96f50f4c0
SHA5120791d8ac08e31ba6b7c33df96504c7390365cfa5adfa46508eb1fc0fd47eea4d48e156b09bc773399fb514b2acb180b1f21c3d578c1ea15deb974fab356fcacc
-
Filesize
12KB
MD5bb87f71a6e7f979fcb716926d452b6a8
SHA1f41e3389760eaea099720e980e599a160f0413b9
SHA25614c9c49d8ead9ab59a56c328008f59c20b32c3ad22c00e02d34e16ad7086fe84
SHA512e1d14363274e367ea600afc357d012233fc68f0636e8d05b29992e762d31e9a55b4fa38b08613c2ca528d7fb0f547774a3a3dc79aada32c2c7359c3edcdb549d
-
Filesize
612B
MD5d4dc561a052d4f5f5f2f4ca054a6d9d0
SHA143bf254b60a98e6688a5f3a882462ed014644d40
SHA256c95eae8e6d05801474aeb7cc35e4e02ccbdaf354b12a48acd1189e84739cccf9
SHA5122a343307831d9eaac7ab1d876a354f654148f74bfa755da21c249fe6c782ea944708c1c41d803641a60c70927325bca4564ecd92e572f37bc22836c0b6617ec1
-
Filesize
1KB
MD50fa63e0b235a49b1883114ac089d06a8
SHA124c8a397e8af9bc3303529ce2ea4cf4549f6fe43
SHA2568e0bd99920ea87510586aa2427983a72ffb8ec1fa9fb8b0380a5dc0eb3342282
SHA51249c589d13cfcf8d36c746cff079a1c0f42c003427eb0ae3ff6ac3f390db20631010a3d6bb134075f432ad5226affe18364b7e13d10ee5399c9878ddb0193998d
-
Filesize
1KB
MD548b07e5b865e53da6e25ad7ac10ea65a
SHA1328ab1007d847dcca576ccf309ee03dd6606a374
SHA256738171e75b306970ad8764d06680bfeec284dd85569412f945e6f10108dc67a7
SHA5129b02d459ddd8da7235bcb41b5006a1335aff12a737584d732b536a34e3b16e8fb685e3ddfdc67cf3a0903f000e0f1a8509ad31aa360bf129f1d56a35d6a3275c
-
Filesize
1KB
MD50c7507b36c53bb50ab29842ceda6bf5e
SHA1a772f99514dd18a29b1233d16392bdedd384b7de
SHA2567a270ccdfd864348c0f4eb9f35caf0e57bda75f2aa7d525a72c18fe82b313f97
SHA512f937ebda34dcff296fbb1dff04428f7b0f308e8927f6d5fc9f715687abea342b7eacf372fb0c1e6e99ef3df04f120ee581f6fcf14a519347ba3ae3a9cdeb46aa
-
Filesize
99KB
MD582d50af33ff156670a076dc834a99b4d
SHA1d5e3662e28d51a8366fb214d77585b95984541d1
SHA2567f57b37aa39698068271e64bbb42ff74b1a2b6157d233d8bdef1f683a7230a7d
SHA512527986d4cca9998059e278de71989f3f46851eace0370cb2bfd69dc7292d5a1597a373ff2b350137eeea8dd7dd13a0e8de8b6306795e4b5a6428fab6c1b27563
-
Filesize
283KB
MD5cc6f0b2fd70c63672de6c1249f0e9cbb
SHA172caa65da6f0a4ce78a0c22b5ad64540b87e2912
SHA2563e4d6fd109879dc3f608f08e0e152b26b93dce0d08e10d4c2308aedf2fbc1177
SHA512a8b2199357092780aa62db1959bc631cd8138e54fb62312fbc10738fa5543afa3e252e0fc3ec08399e7c80e2cfcfa795262b0060ad4386811219cac94b032db6
-
Filesize
1.9MB
MD5a814cab54088bb64dd76909325d8255c
SHA187beb3172b2c5e1f80d945d2081963b89a71d405
SHA2568777bc9b25e97841baa95f8c33a7f48386feec1ece6e642fa8c305c359737a29
SHA51251854b2ee5f73ff4861cf4724ee9c23e882c4c21fd15c56987c8c4e4f88f8571c3488cecac13cb7c08013fe84b1aa1ed61e14e8ed19fa4ab92d718f48860df5b
-
Filesize
283KB
MD59943ac3536f8595fa7d492f89d67a179
SHA1730bcfa82e14745f88b99dbcc78e438899215963
SHA256e6a961219d4c28fbc8301a3e84e5d72b984ad42245569881a80450af0984b703
SHA512db825f1db2b9ce560110b148f3de131c77c5d6aab854fa3537db7609b090d1246ee25f82a00005de9dacdfcb09d8f0e9e473febce4872377f045fe000d5e2a78
-
Filesize
17KB
MD5e2f50ad18ee46952ea1910b826ef2ad1
SHA1531b13b6beb89d4fb74ffd2b44d241f0c0b5ccb7
SHA256882ad3e502cfa58fcb568fbd8ab0da8c0628475e497370e73b137e394e850cc6
SHA512a540aeabc761c9338eee5625351515dd1830aed6cf5d86a5b5c68e62ff653f8ef9fab497679de739e9ba260b81bc4544d5f283b5b98c016060237b3225eed482
-
Filesize
428KB
-
Filesize
112KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.9MB
-
Filesize
1024KB
-
Filesize
428KB
-
Filesize
4.9MB
-
Filesize
3.9MB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
3.9MB
-
Filesize
4.9MB
-
Filesize
72KB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4KB
-
Filesize
5.4MB