Analysis
-
max time kernel
140s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-09-2024 06:39
General
-
Target
f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exe
-
Size
273KB
-
MD5
f7c96154b65069ca510bb91097b74b95
-
SHA1
fa05314ef1257466c705a64870b13d39a11a13ae
-
SHA256
f1e94b5c0b5dc04bef3c9fb6fa7e0781a97c06af80dd5aadef4572f7fa2efbbb
-
SHA512
66fdd3854fbcfa1c024ee20ae627c7ad26ad291926f46a64cb6fe09b0a11c32e033b68de8dbcc05a3e1dadeb76d79891607b0ff10b3247d4c2382a95ec4dd7a4
-
SSDEEP
6144:NMolZxxSIRDjXjoLZrMFUjGWmbuYyGyQ2Mpya34E7csdran4B:NfxRxjzoxqUauL7M3F7ldranO
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\08CBB\93024.exe%C:\Users\Admin\AppData\Roaming\08CBB2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f7c96154b65069ca510bb91097b74b95_JaffaCakes118.exe startC:\Program Files (x86)\BBA45\lvvm.exe%C:\Program Files (x86)\BBA452⤵
-
-
C:\Program Files (x86)\LP\24F0\1B3E.tmp"C:\Program Files (x86)\LP\24F0\1B3E.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD58144dfcf43232f9e746c85ba8365bb6b
SHA1cbe390620ea90c932d9668f0ed318d00ef5f76ad
SHA256294d756306be36a0bee5b6702fafe246c555d3a408557d908125d3df749dd1fe
SHA51219bceb2f78494080b4c78374e3a84fa61f3bffe0b33a39366ce779ff969d285731da9f08fe1e201492fee2e154e3a952351ff66fac8f8f3b0c38637d64f5f996
-
Filesize
600B
MD5b7966a1df17bf4ba833ddd6be5fb4ca4
SHA1d8a12ad1c2b04c08204106941d53fdbb284640b6
SHA256451c3af724b8a8e8b056cab2604b4012cb8abf92d0753d7dc4fe790c6facdf53
SHA512277de492d5310c7310b07f336e156ce60e46274ceef019f34e45dd70e704caba6df5e5e8678d128a3716ba10bd8be517254940a9aa36ce457c5fa214f951c730
-
Filesize
1KB
MD531b567465516db1a66d06054763f155c
SHA1843a0593481be233c9b4d8876efdf45b0936f801
SHA256e1dedd19abe6daff3a3474f3055dfd969221fd1502dd41a62a8ea017d68cea69
SHA512e8e7ffcdb2d63979eb3fcd620250e9251bec9670702bbe54cf9c3166713e061287e6e80cfe6da70c3ba02c34c5951dfce7c7766b94f3fe545294b9be2a426e30
-
Filesize
97KB
MD53deded77ae61b716b296bca0c6c0d2d3
SHA1eb9d9b3cbc713326345205c985e680bf9653032b
SHA256390cbcf1b19a2191c63bd0d08b1b13f6055ea6cfc6602b73851f64baeeb9f8b5
SHA512d665909814cbfc9ad7fa77f46f2e58f54ad5248772a19ce287bf07421ec1bd149d47dc99ecb074b6c9a5c10ba74bdb9380b4495a5f414848817c13e0637fbf53
-
Filesize
108KB
-
Filesize
412KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
412KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
420KB