Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
31-10-2024 00:04
General
-
Target
80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exe
-
Size
278KB
-
MD5
80b9e0e73b53ad5e2378448bddb3597e
-
SHA1
6d9f5e14e5253f4ac1584fa3777339c05627f6d1
-
SHA256
90cafc99b48edae07f55c9bd26d2ba45f28d2dc320454c8660411176e6887bbe
-
SHA512
59de6cb3f3447d854bba62bad9160a436252e72645d4a1d1f302e9e0445c7b28e723c771fbc152b2ae6194672954ae09a3eee9e9669b24d729ae0981ab53a236
-
SSDEEP
6144:6KhV5ujO/l4iru6suWk80se5n/CTkFGb4MQBv9gVOfaQWuebPBVSAm:HhTujOi+/yk80siiigaNIBcA
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\78B6D\6212A.exe%C:\Users\Admin\AppData\Roaming\78B6D2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\80b9e0e73b53ad5e2378448bddb3597e_JaffaCakes118.exe startC:\Program Files (x86)\6DA19\lvvm.exe%C:\Program Files (x86)\6DA192⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\2A97\231A.tmp"C:\Program Files (x86)\LP\2A97\231A.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD501141bac0e591a16c524fecd82adfbab
SHA1107c979c525dc2f692000b94717c1ce64810e077
SHA256a16095fb2194eef562d42fd324d4996bf42ef398ae16015a5f6873ff039901cc
SHA5123a2cda01785f50a860c677d08e258db00d392e021f7a10cc25abad020ab792049cbf1e1b7084500c0f266553279826affbe69a43a2fbe6293f9fde61cd7b1578
-
Filesize
600B
MD514a956ae234555977369a94ab9866104
SHA1eb7070754818fc6d7017257bee859a5adc7b3351
SHA25624559972ab17288853e87437a0dc849360a8167505285e4479a23ea1bd13431d
SHA5129cf7593b054e5e391ca1b3e6e282d8a37d41a95ec5758a009623d90bd9c31f73c3b002a77bb881e7177fdcaca8e412a4e2f18f9690e76aaca168903bd5c8fa23
-
Filesize
996B
MD5a73ca6ad68cb4bddb8d6ccf378b5e42d
SHA1d95ec41b38c2aca149ca0189a095957644a39d06
SHA2563ef8c8b864afe2c95580f9b7d8a91b00acb2e86b804e6121713249024bc3fbee
SHA5121073be92cce877d095733a92b484f51b5e590d8df38e8ff899c53b44f39bf642ff989ae3c259071caa1c66a29c9de8d458d2a19eba1a34e723e496c25b0138d6
-
Filesize
95KB
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351
SHA256d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8
-
Filesize
108KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB