Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-09-2024 10:58
General
-
Target
00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exe
-
Size
284KB
-
MD5
00f7363f87f8c119c32ff93f0fd4a1a3
-
SHA1
0df7c5cf11c19872c1088544828c0d5ed260c757
-
SHA256
bc374b51178dda843643be87fe37fd0b2e6518be16fb500a74abac2ae5dfbbbe
-
SHA512
062f64070d2fa2ca0ee2392e827fd15706e8d6f5c74c0589b1331b3a57b22da246aaa96c547eb577285baae4d7757f60a51303b87b8ce7ed5aad39fa11f0a488
-
SSDEEP
6144:GSliSmv/UN/HNn/s9FPSSdEnAh0QgL91b5r10xUpBCySeK3kc:GeLmXoWZ5EnDL9q
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\CEC2B\DBD8E.exe%C:\Users\Admin\AppData\Roaming\CEC2B2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\00f7363f87f8c119c32ff93f0fd4a1a3_JaffaCakes118.exe startC:\Program Files (x86)\2B0A4\lvvm.exe%C:\Program Files (x86)\2B0A42⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\8E3C\3073.tmp"C:\Program Files (x86)\LP\8E3C\3073.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5ea377706621ff821ce850f598e459dfe
SHA15bdf29afebb4bb7efed4b843342d7f2b787f6af9
SHA256eb7906e1b662d0d8d06099bd38bcdb1143b193b4602c3a829f4b2249e4a964ee
SHA512286e9624ce54a4758ec461c6498fcdfda876314ab09f99a153b28bbe92a3d8e80f9d11cb3f97d31a7c059334df242423d49f1be2a53466b11eb69144b87300e2
-
Filesize
1KB
MD5a92b3d7d7db7b46dc69970ff66fd5d63
SHA1a7a39ac93c4affecd2bbd19ae4ce7f54190d3718
SHA256cc42ae386e37d5ad5a6355bf936e08190f900b031dc8ed0ff299904d2711079d
SHA512c0ccc2731bdffd666c5c96d2f64e82e11c7bd055f733377a4a7ed36f9acddc2e00cf1c7cf9447cebbb14ee3a7aa9498c9299a57eb157d57b12db4a91290cd73e
-
Filesize
600B
MD5ecd5b543042713b69dac65cfde1278af
SHA10e6acaee1d6ed599eebc4839c172e755fc822dfa
SHA25602bc66890e10b7a85ec42b4a8515590ef5e68eb202f066d69fabfdfb3c238e77
SHA512e48cada48c8811c173c957f17dcf233e19ad0f27e9afcc340cba2b7e014fba219ea1c1dba60a983630007e76dc8b99d781785438b09e8327187395584aa1a2d8
-
Filesize
100KB
MD550777c38a35804872660aa71c7eb52d2
SHA1c94bdd4378d0e9f0bb2a71edca520bd49251a7aa
SHA25644761b2153a01f2cd930d6b87fc3e2ba09e8940e4d096b556e99c74f26938faa
SHA5120beaa0e126af6adab4867e40fbfe554b829a769bd22af5aad1cfe5f63d569c16c2a003d7b98724efdf8fe255b6c8b124487c999db70c2012ba68faa130fa9ce4
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
116KB
-
Filesize
416KB
-
Filesize
424KB
-
Filesize
416KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
424KB