Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-10-2024 12:42
General
-
Target
18202039628dbfd24a7086e39e8a23a8_JaffaCakes118.exe
-
Size
153KB
-
MD5
18202039628dbfd24a7086e39e8a23a8
-
SHA1
73f2ccf467452f8d99619d4672881e25c3ce43ff
-
SHA256
b6dbc5c60d188348f302232f57a9cd96a558b03fe9f7fa7fc4749a38ddd466b6
-
SHA512
327a0bc37529771b0bd3be8c48ba33b7b41b5ad9767ce5509fd2b06f5860ee1b1936616f95073ed34a53977fb4c2b2a4faa3c781ebb130dee0cd7f45b5eb5a42
-
SSDEEP
3072:Zs0MvFhK/sKI4UR0XwfUfTh1rCTsi6vbuM7RoO0GJc93/:ZsvFhK/sKI4dIcT3ZjuJO0GE
Malware Config
Extracted
pony
http://one.mindin.info/forum/viewtopic.php
http://one.mmtalk.com/forum/viewtopic.php
-
payload_url
http://3073.a.hostable.me/Z2U.exe
http://85.18.21.252/PNV3Hbi.exe
Signatures
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18202039628dbfd24a7086e39e8a23a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18202039628dbfd24a7086e39e8a23a8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18202039628dbfd24a7086e39e8a23a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18202039628dbfd24a7086e39e8a23a8_JaffaCakes118.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2540,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB