Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-10-2024 10:38
General
-
Target
2f9e432d4ff23562f2395ecb626d2b6e_JaffaCakes118.exe
-
Size
84KB
-
MD5
2f9e432d4ff23562f2395ecb626d2b6e
-
SHA1
2a9961a3ae28b4c112c1ff1a7e208e6297f4e426
-
SHA256
e83660b15a8fae159a2f3e8b39231950f956fa3679cdc68823d705a1b02e06c7
-
SHA512
55da162210a922359279e8161e91230ad4ed7f36efc02a92bd600aa4f987e8dbc8295ff03e0f508becf4b3c5014c331cc0b14dde44a46081f49a2df2c3ac4c39
-
SSDEEP
1536:9bgsoX3Itz6GmGo4hPhDW+wWupp0Haq5GsrYJUS5t1K+Um/+jBCkKj3ZEiAZ0Cxl:9u3MpDnhPhlupO6bsGUS5a+UM+1CkY3D
Malware Config
Extracted
pony
http://fypse2u.info:1654/ero.php
http://crytili.info:1654/ero.php
Signatures
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Drops file in Drivers directory 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f9e432d4ff23562f2395ecb626d2b6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f9e432d4ff23562f2395ecb626d2b6e_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y && at 23:58:00 cmd.exe /c copy %TEMP%\240630968FdOh %WINDIR%\system32\drivers\etc\hosts /Y2⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 23:58:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240630968FdOh C:\Windows\system32\drivers\etc\hosts /Y3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240631265 /t REG_SZ /d "cmd.exe /c copy %TEMP%\240630968FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240631265 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240630968FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f3⤵
- Adds Run key to start application
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\2f9e432d4ff23562f2395ecb626d2b6e_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
16KB
-
Filesize
184KB
-
Filesize
184KB