Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-10-2024 06:28
General
-
Target
72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exe
-
Size
270KB
-
MD5
72af77c56d3b97a9b7a20d64f2eccbdb
-
SHA1
d9728f6cb916b80d5025c97e1962f2702cfd85b0
-
SHA256
cbe4304b53299ee4a4efde997098002b12eecd8561f9f185bc79a38c0cb07f5f
-
SHA512
486782d515c20e510ff55ec7682af9f168153a175b20594f3acd3e0cd78c262c95d56868987f531c05cd9e6a3a791df4013b44a14b32446f806e03eebddee63e
-
SSDEEP
6144:aMj3EykWU+WNLtZa2XNQCZ3x2jRDXe6qzif0froq:5jUyw+u7a2XpB2dTVqziao
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\26BB4\1F41D.exe%C:\Users\Admin\AppData\Roaming\26BB42⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\72af77c56d3b97a9b7a20d64f2eccbdb_JaffaCakes118.exe startC:\Program Files (x86)\B4132\lvvm.exe%C:\Program Files (x86)\B41322⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\1DB2\57D.tmp"C:\Program Files (x86)\LP\1DB2\57D.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD577ffa84be9ee91fa3b9fb2a55b0e53ba
SHA1b30bf329c98b3e59acc5a4714f7fafdb301980fb
SHA256722469ec60533b24de9056fa7eb8768bfd26cab49d191aee89dabf2582fb8f6a
SHA5124579e79cfcff9489f80974fab9103137a00ce20620e96161f046ff850ce5e9eaca95b672d6d34f85998aeff9f1eb98dee2d5d326d768afef604138203758f339
-
Filesize
600B
MD57c1b101a10e4b9d12ee9fef103357e7f
SHA1e3a0e8248a83d403ad5857a1374a964c5e2707ca
SHA25606f09b85b1caba8d91cc52d5557e9acc351c074c25f58a68b5eea5b0107caf3e
SHA5129961c37b975dcce75ef636112f1ad89ae2ce57f14fd81a888d51437be02df260e79c45d518613db86c05cce0c0d9dd64e9b7adddebe916b66a14ca2b68d9dcb7
-
Filesize
996B
MD569b2c8d51cf774a407cf97063f75db08
SHA1ce92047d7bb68dddcfc715698c86a8bfd53dc9c8
SHA2561432ebbf7920d423b23bef23f41ff41b218a2c7e9916acd06c17e4bf9db1a7f0
SHA5125e43b4c8ea57f5451c98fcef9c1e760016ae09ca22dc320874aed840625c0c83c3b56289db76af606ef86ef4035cfefe56f6c949960e02081ed56a2833489780
-
Filesize
96KB
MD52b1fb0d9666b92e0cce43e75dcb92c59
SHA17b239a3858b6ea3d1a0813280bbdddc2072a7938
SHA256d6b7b1532090214fc5a7d7346ba844635a6b581c760ac045c9a712fdf06cd66b
SHA512927fd2105b63387c0c16ca3b608e3a9a120d5ba8605fc0556535b580536d0d33acd3b0c914d157af57974438d4b06d0945cfdcd92859de24bbd3348186b99087
-
Filesize
108KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB