Overview

overview

10

Static

static

3

7fe37ca79a...18.exe

windows7-x64

10

7fe37ca79a...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe

  • Size

    273KB

  • MD5

    7fe37ca79af689731127cbd7670c4cb7

  • SHA1

    4916db95e4019325d635e14fb85d4489728855aa

  • SHA256

    7e78ff1cd26848189be0f309baf1cabf74bd918a9f5294827c9ee4683a8861a2

  • SHA512

    4b33c0928ea416bebcdd67586eddda701cd8367002f4280862b76a9d7b8f2bdddcd0c09efae8de82eef256bd27d766fd39b1ac55ce09232548d8084abf00fe45

  • SSDEEP

    6144:7sIgppccOO0D7yECY2kchY8FG4MbXaE2umPd9Tiy:7sIgppccOL7dCYMhv9eDm7iy

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1484
    • C:\Users\Admin\AppData\Local\Temp\7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\6C9E2\1F0DC.exe%C:\Users\Admin\AppData\Roaming\6C9E2
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\7fe37ca79af689731127cbd7670c4cb7_JaffaCakes118.exe startC:\Program Files (x86)\E2F41\lvvm.exe%C:\Program Files (x86)\E2F41
      2⤵
      • System Location Discovery: System Language Discovery
      PID:560
    • C:\Program Files (x86)\LP\DCB6\644F.tmp
      "C:\Program Files (x86)\LP\DCB6\644F.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1808
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6C9E2\2F41.C9E
    Filesize

    1KB

    MD5

    10d1fbcb9ced40ac231fcdfb833f7a23

    SHA1

    329f03bfa203cfca290dac5543af6ca6e070a0e7

    SHA256

    a28eb8c9ffeaf5b226050b11b0b3c08d7eca7504d8467b94b769343c20926eca

    SHA512

    8f360950cfc047bd2a70187e9977a9c25c57711665ab234b1f0d203d80d6cce00454597bc2726f56d24c13ab219a59bb22782350988582c5047700c69afbce44

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C9E2\2F41.C9E
    Filesize

    597B

    MD5

    f8630ee7c241faf42a13e268a7245b6a

    SHA1

    d82c8110ecce20f4fe3b85fe32f7782c1dea907f

    SHA256

    7e9fccc77f8b51a6e6526adc8a098f1be51792afa885dd4fdacd6050e9f7ce91

    SHA512

    55767262edc3369dfe2005e8b7475fb492cdc6edbf3481c264934b061c24ffedabadd0546c1ba8b90f6ec99e298af1e56458b4df942212083b7c64bd340fc347

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C9E2\2F41.C9E
    Filesize

    1KB

    MD5

    df45b1e65e37a2eba2d929d4600fbf09

    SHA1

    46c402f49eb94ecefe50c6faaf3de33afee9ea96

    SHA256

    490becf89fcdc0a1d6335f25762bba8869482d1f4ef0da0275c4955239b6e771

    SHA512

    c9c5bdd5fa726521e7e54b764a274495622ec505ce9227b63449ce5b463f659b7dd0de75030f41fc2b967de7cd53c88225a7f04c9476826268e67759d0fa9fae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C9E2\2F41.C9E
    Filesize

    897B

    MD5

    9a1fcbb4f11c6c083efd60d2351c230d

    SHA1

    a38412dfcdf5d1f422874b88fbad7e8b1692ff86

    SHA256

    3ee66f2b2d316a04c5aad6fbc3e218b5200553a94b9317828291b5266ed6e9c2

    SHA512

    ade0cf52ad2ceec92a09400a63b72cbd69913b49e9ece91d17088c034c800692a7c0511b8f602f12c39430608630a8144d20fca1c7d5ae59d9dea961c7ba825b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C9E2\2F41.C9E
    Filesize

    297B

    MD5

    f35de969e48aeafe599485c0bb8a77f8

    SHA1

    a13e667d2f138998fd8d84cd3b38584dfbe0f679

    SHA256

    0e022b233d7359815c17c203beb3395c10e7332f5d47ccc50b239a8df8da7390

    SHA512

    429d040fa55156fd62072d7d3c33b2126f2532e37e31502033206488a78a73ed6994f847791b8896f9d1d3a48d717d0ab3ec469c081bacac588e7c3dea93b044

    Download Submit

  • \Program Files (x86)\LP\DCB6\644F.tmp
    Filesize

    97KB

    MD5

    88167b80eb5df8512db2e384f8f0adf0

    SHA1

    e78f98a0442ea878bcec0e82bf13e9d03aba57cc

    SHA256

    ec9ff72c0e6b417228eaf24793c959ad8e72a5bac7cf8be1ec36caac71617abe

    SHA512

    c7fcd0c54a1d39559e0d97fedbbdaa3ebf8c0c6f805a0828ce4f7c7f09e7ab6c4df202bedb50ff191b8ada0f4f96a49476c6f4d88d5e843f6f0ded1ae72f1594

    Download Submit

  • memory/560-163-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-58-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-161-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-329-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-345-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1484-349-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1652-347-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2924-60-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download