Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15/10/2024, 10:07
General
-
Target
472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exe
-
Size
286KB
-
MD5
472f47ab1044b4c18c7bbff55f232e75
-
SHA1
165a6d16ba781cf8946fcfdaff6a72793febe633
-
SHA256
b8168d09c96668507404a3f200db3f6e1a1b202247446cdc3f0e547eae3b4a99
-
SHA512
7a7b70ddca55bab8b37b7b0decc428c31f17e36e5b36581bc443e46f0614733ded80034d026a473ee97a66ae44ddd7ef49810eb297e4cdf97945c47b1c155034
-
SSDEEP
6144:IjrYm6sMRDXy1EoGwU9PWGvdx6S/ndLiUX+afjOti29OEAqAYJkwDssNx:IfYHRuUxJvdcyLi++aOtZMxkLDsC
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\D4468\94FC8.exe%C:\Users\Admin\AppData\Roaming\D44682⤵
-
-
C:\Users\Admin\AppData\Local\Temp\472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\472f47ab1044b4c18c7bbff55f232e75_JaffaCakes118.exe startC:\Program Files (x86)\68B27\lvvm.exe%C:\Program Files (x86)\68B272⤵
-
-
C:\Program Files (x86)\LP\C88D\3582.tmp"C:\Program Files (x86)\LP\C88D\3582.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5e53ce8ed99f7e0f0c52e190982c94d0c
SHA1e74e98c64bb4ea1f3e78c4356661ebf53063ec9a
SHA25684c0db717b43a304bfff300576985adc7501ada61ccba5eecc441b9c54928ecc
SHA51207595ff2a581cebb60d7df334024b8537381509bb7c6a99bc14132207a534bc5c2b860629e87ecf81b4764dd8b8db546f32ed74fec51f6c49257facae21b481f
-
Filesize
600B
MD52681458dca166e1c208a5fcf07b14400
SHA101301ae33f2848db862989031b5ebeec6a106c1f
SHA2565fc93c31b9496da57f42a3a1828a4ce56e1e400a28c013b806c6a6a0a84d8223
SHA5121a1e69142500f141e366a74c9d2949c3b2298fb5b70b3893528e8a45a0a376e7e275d1eb6319758d04a03f9300766f66c3f0868110b51fa2c58d0380ed2d1035
-
Filesize
1KB
MD5311f3b9e61dc1b2f360e38bc4c586753
SHA1f9f989ec0320dc504924fac4057662251d52b421
SHA25680bdbefc53499d1e1f4a6d76bc69b8553a87abac724eda8cd2eacb4526ebc677
SHA51206a44ceee3b25973588b24c6876f703f427d0b8a84a59d95abe22e563a7d8fad5640656fc7dfabb4b65aeaf976333ab81d5c7bdb8a6c8bd268f52208c683f328
-
Filesize
101KB
MD57c1eec1582656b89aa5f301d20f3294d
SHA1d7caf59191b059a12d64efa058fede62f61ead03
SHA256c210907e39199218fd9e3e60a9f3c3483d606ff49b297ec277702c61a7efe4bf
SHA512954009ce5b4843b1c4e86281d369c53663f60abdbbdab66415edf23842df7e84f180e0ffaff2840ed33883f22da346889a5b5139da73da4ada4db6d54587e089
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
112KB