Overview

overview

10

Static

static

3

557b50d7aa...18.exe

windows7-x64

10

557b50d7aa...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe

  • Size

    279KB

  • MD5

    557b50d7aaa98db833284e4759cada34

  • SHA1

    8ecee1e514e06bfd9ab0c75b166b11f5771db995

  • SHA256

    9af805196cdc23f80b9417a52c4afad51d8035726108a50f4447e4d32a9a626c

  • SHA512

    a41a7b4dc2fb2748ca50239b1f14bb03133dee51a91bc0d0fa531c5720d9515f754c0836f3eca7546a58b1865ba2cfb87e01fca11dc132e3af534cdfb7c5de44

  • SSDEEP

    6144:vnOp4XYk1OJ6IWJrQOfss+OsVSPD7RMZ1BCgryz0:NXYa+62V2s8mZ2yyz0

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\FD76D\EC9AF.exe%C:\Users\Admin\AppData\Roaming\FD76D
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2140
    • C:\Users\Admin\AppData\Local\Temp\557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\557b50d7aaa98db833284e4759cada34_JaffaCakes118.exe startC:\Program Files (x86)\6DBA6\lvvm.exe%C:\Program Files (x86)\6DBA6
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1700
    • C:\Program Files (x86)\LP\AF0F\4569.tmp
      "C:\Program Files (x86)\LP\AF0F\4569.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2260
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2448
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\FD76D\DBA6.D76
    Filesize

    1KB

    MD5

    453dfefda243bbcd4da1d31c0caac238

    SHA1

    06c9240db4d6ff647aea4c927c19bae8acfb81b8

    SHA256

    bf88e2a6ddfa8eb86f06d9c79261a62817236d6ea879a580d8b6e484e8d73860

    SHA512

    d824de2e3316d61c43b33bb28f998eff9c6e7e07a30f435b11c6876cbd28969dbc1faa13649e8a848d33d34b53e02735ec8b9156b03241d3bb9e58e3538b9fa3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FD76D\DBA6.D76
    Filesize

    600B

    MD5

    488eb132082c5fff5d12e046a2e37a7a

    SHA1

    06f1b03afd3bd85035b928b14519486ba3e57423

    SHA256

    3a0a307026ec9d36ed981cae7ae2688cc7fd943c89de3626fe35b1c00f240470

    SHA512

    ad89d35835af73b03eea2bf5f9fe1b920f979ca1c76852f2b3420efa99876ed2b04a9064a140a286c1d434bd4c6cbc24f7e416c466a60eff63e9585472b724f0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FD76D\DBA6.D76
    Filesize

    996B

    MD5

    fee640cd84010981008e53a011d2983b

    SHA1

    c6a23b190756630a2c3a23c808e320a6f5274d21

    SHA256

    9c438db77f26c1fbbe9a0f07f8a8f1a857a522991cadf92eec209f871c039f38

    SHA512

    042b3b61ac3a6be8d15b927d24eb10685a1cfb728fee46969a95eaf8fad6b5941a7801b82033438ca12de72a53508f06b1ed41c017ad2145a04e99624c3959f1

    Download Submit

  • \Program Files (x86)\LP\AF0F\4569.tmp
    Filesize

    100KB

    MD5

    712b790234a6b80a3dc179d07b4c631d

    SHA1

    a64060d004591899343721e4e10a62805b848954

    SHA256

    344dd99a3ae192c9f7d5fbaa1774ea1346aa1f7a71b86e06362cb7cc75184d81

    SHA512

    847c3a679622bad14e57e3c093f3396282fb68883caaadc51f28ab54f49b0b233d5f3d2e852f87f17b8bbca8fed43378a8c03ab97f1c095defa9ade3b9b40cb8

    Download Submit

  • memory/1700-88-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1700-87-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2140-13-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2140-16-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2140-17-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2260-196-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2332-85-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2332-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2332-14-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2332-11-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2332-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2332-195-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2332-199-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download