Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe
-
Size
84KB
-
MD5
49881ad5a4e7ff571d1a49b20aa59e98
-
SHA1
2e0b51f491d97d9c019a5d036ea562dc98d006a0
-
SHA256
acb9d0191ec6198145cb575aac3fca45ba4fd8138a7faf447a189d5917043631
-
SHA512
bd7c1d8c8abe158dc356baa1a053fb14d2003aeaa3eab5b461e55cf34dfb3286174d0551ca0863acbfb41fe377c8a278460f76ecd892d3ce355ae41fd97d960a
-
SSDEEP
1536:zurTR4UUbBBHFZnT1m/taX2Q7SBByelm5s0nrneZhmoyaOeWQDhSJ5Mz8I5702NF:ieUUVcAdu/1Y7e3KaOteSG54YYF
Malware Config
Extracted
pony
http://fypse2u.info:1654/ero.php
http://crytili.info:1654/ero.php
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\test 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe File created C:\Windows\system32\drivers\etc\hosts.sam cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts.sam cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\240615406 = "cmd.exe /c copy C:\\Users\\Admin\\AppData\\Local\\Temp\\240615109FdOh C:\\Windows\\system32\\drivers\\etc\\hosts /Y && attrib +H C:\\Windows\\system32\\drivers\\etc\\hosts /f" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 1372 cmd.exe 4716 reg.exe -
resource yara_rule behavioral2/memory/4828-2-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4828-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4828-14-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2820 cmd.exe 4040 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4040 PING.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeImpersonatePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeTcbPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeCreateTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeBackupPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeRestorePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeImpersonatePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeTcbPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeCreateTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeBackupPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeRestorePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeImpersonatePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeTcbPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeCreateTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeBackupPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeRestorePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeImpersonatePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeTcbPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeCreateTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeBackupPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeRestorePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeImpersonatePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeTcbPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeCreateTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeBackupPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeRestorePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeImpersonatePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeTcbPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeCreateTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeBackupPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeRestorePrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4828 wrote to memory of 1688 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 87 PID 4828 wrote to memory of 1688 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 87 PID 4828 wrote to memory of 1688 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 87 PID 4828 wrote to memory of 1372 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 89 PID 4828 wrote to memory of 1372 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 89 PID 4828 wrote to memory of 1372 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 89 PID 1372 wrote to memory of 4716 1372 cmd.exe 91 PID 1372 wrote to memory of 4716 1372 cmd.exe 91 PID 1372 wrote to memory of 4716 1372 cmd.exe 91 PID 1688 wrote to memory of 1656 1688 cmd.exe 92 PID 1688 wrote to memory of 1656 1688 cmd.exe 92 PID 1688 wrote to memory of 1656 1688 cmd.exe 92 PID 4828 wrote to memory of 2820 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 104 PID 4828 wrote to memory of 2820 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 104 PID 4828 wrote to memory of 2820 4828 49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe 104 PID 2820 wrote to memory of 4040 2820 cmd.exe 106 PID 2820 wrote to memory of 4040 2820 cmd.exe 106 PID 2820 wrote to memory of 4040 2820 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y && at 19:13:00 cmd.exe /c copy %TEMP%\240615109FdOh %WINDIR%\system32\drivers\etc\hosts /Y2⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\at.exeat 19:13:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240615109FdOh C:\Windows\system32\drivers\etc\hosts /Y3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240615406 /t REG_SZ /d "cmd.exe /c copy %TEMP%\240615109FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 240615406 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\240615109FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f3⤵
- Adds Run key to start application
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\49881ad5a4e7ff571d1a49b20aa59e98_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\PING.EXEping -n 10 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4040
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3