Analysis Overview
SHA256
ae34558e24fe7287afaac8b8238d0d38bb66fc5bfb99e6395564bb0d27ab87ee
Threat Level: Known bad
The file 762135b8c14114d19c0806017043ba6d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Pony family
Pony,Fareit
Checks computer location settings
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Checks installed software on the system
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:56
Reported
2024-10-27 21:59
Platform
win7-20240903-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Pony family
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
Files
memory/1960-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1960-2-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1960-1-0x0000000000404000-0x0000000000405000-memory.dmp
memory/1960-3-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1960-4-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1960-5-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1960-6-0x0000000000404000-0x0000000000405000-memory.dmp
memory/1960-7-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:56
Reported
2024-10-27 21:58
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Pony family
Pony,Fareit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1304 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1304 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1304 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oid.bat" "C:\Users\Admin\AppData\Local\Temp\762135b8c14114d19c0806017043ba6d_JaffaCakes118.exe" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | hilopa.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
| US | 8.8.8.8:53 | xisely.in | udp |
Files
memory/1304-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1304-1-0x0000000000404000-0x0000000000405000-memory.dmp
memory/1304-2-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1304-3-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1304-4-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1304-5-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1304-6-0x0000000000404000-0x0000000000405000-memory.dmp
memory/1304-20-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oid.bat
| MD5 | e6b031b9b7d40fa332ebc6f38b2f9f64 |
| SHA1 | d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f |
| SHA256 | 66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b |
| SHA512 | 7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948 |