Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-09-2024 12:06
General
-
Target
fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exe
-
Size
276KB
-
MD5
fa6040e0bede8a4aeb014012151e2d4a
-
SHA1
56e95be57180ec90da56afab2c76712e00f82624
-
SHA256
12087418133383ac3748badd82dbb8ec416a542a2641f191e373fec4d91f8f08
-
SHA512
3e7d69b87b53985fa1db6d563ee9c6de101afbd8fadf2e085f3250c50cbe7f4a4e071cbb15edac80e234f201beb322af963ce96b011827ad17c32795b441e67c
-
SSDEEP
6144:YCTrzmYgUohB1b4WcaMLSthS9sceHhmr9H+UBup7PphJ:1THEOZLGhpckmr9HVuFp
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3658C\AAF5E.exe%C:\Users\Admin\AppData\Roaming\3658C2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fa6040e0bede8a4aeb014012151e2d4a_JaffaCakes118.exe startC:\Program Files (x86)\8CA34\lvvm.exe%C:\Program Files (x86)\8CA342⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\5E13\4F48.tmp"C:\Program Files (x86)\LP\5E13\4F48.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5f1c68c4e104307d57c8a02fb51d11eb0
SHA1d809c70e8a5a1826e09005dd48695da6bab3645e
SHA256ad8179bf39fa7cbb2db990e551c4382bf7c651e351b1270657d3c720512c60ae
SHA512e681a54fc69e1e733654d23055b771431dfd494b2d8937062726013084ad6740a542574dbd85ce78da5960d6df2380fa0af03cd193aca3bc7f0f494f18c213fe
-
Filesize
600B
MD51dfe08bcec5253a57fe0f4bb4d186499
SHA156da343ecbedd5f1ec0cf96bfdba37108913fc61
SHA256c75904d35186aa6f317924b873dc2fa49ebb731ee29f134ab983f28ce3afa8c6
SHA512a39e70fba52d8eddff4e7895d33b6ab33b4446c2a9e88b30326d27f50c6f497e5c0c8f04b9f4b2051cc808d2b3cf53c49096ee998264ec9e4e12dbc541148841
-
Filesize
1KB
MD5560e5b0a6a0c7af9f2782924130d6e8d
SHA1fcb38fef6848eef1d1996f93123121d4963c336d
SHA256885c74e4e70581877e2f83e953012ce5024b6965560b002e19ebc7ba0a74fe52
SHA5124ed50ffb63e9dda3c43d77fcc12a16e97c75b70638e259c443f0c322fa8f841f98281a9be12eecc4326d070dac99450244ac0c8a376b917dd193d1660705d389
-
Filesize
96KB
MD5d8bb0e5c476b7dc08477a9bc400cb63d
SHA15a93bc2964fc9468dfa4133bfc06c7e9b420a3e8
SHA256ca246fbb09c97b0b90028f10a86f2428836e4d4efdc2465517167869952831f8
SHA512f3d0436c61f4dc0b1f201d6f3902ca49b195e10789e855e3cab4c2dfeea2b1a7028b7263ae85fdffb69c855c1f01b96d85fd534ce234a1c3c064f1c940375b98
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
412KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
424KB
-
Filesize
424KB