Overview

overview

10

Static

static

3

892fcf8f38...18.exe

windows7-x64

10

892fcf8f38...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe

  • Size

    265KB

  • MD5

    892fcf8f389201c5fdc5160b5890ef06

  • SHA1

    55f9ee83bc8303e2846f84894caf47db0debf4af

  • SHA256

    6628116f31ea0cd6550b8e958d59f381ec4b11bb02a80f581dbe8245a8e692d9

  • SHA512

    b521d0d011219c537411ee2ce184ed6208afed336e0fa928ff79680b57479adcb083b9881604fa130552f2cdc0958f7ae422c14f646084e7a76812403e6ca78e

  • SSDEEP

    6144:DjlEr6enAu/9YPcu3EOsvlOhXiYkFkaoMoV0PYDcWkCWQ71vXcQS:DFenl/9YN3EPOpiYQk4XCVWw1Pc

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\813E8\FBEB6.exe%C:\Users\Admin\AppData\Roaming\813E8
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1644
    • C:\Users\Admin\AppData\Local\Temp\892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\892fcf8f389201c5fdc5160b5890ef06_JaffaCakes118.exe startC:\Program Files (x86)\E84D2\lvvm.exe%C:\Program Files (x86)\E84D2
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1588
    • C:\Program Files (x86)\LP\B668\368B.tmp
      "C:\Program Files (x86)\LP\B668\368B.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2376
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:576
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\813E8\84D2.13E
    Filesize

    300B

    MD5

    9ef1f1aaa733a5c0bae75315a5b4a493

    SHA1

    6680a89698d9d60787e28dbe6179d3bbf682e5c5

    SHA256

    e9c4da9cbc1ffb7f3b2d9afb0effba6c695b298c5a09187e1eb0b8970c91b59b

    SHA512

    180cb6f1d1941f3401b5f1225651326c738c1f452b549c3f98378a926d01b528441e73605314a4fa2d0b4263b3cf20600c99ab3b14d4cff4df60c2ccdc74a970

    Download Submit

  • C:\Users\Admin\AppData\Roaming\813E8\84D2.13E
    Filesize

    996B

    MD5

    55cfe13d87e61bdbac3b5445a3827db3

    SHA1

    7574c375eba10a99fb060259d02c599f29ad9dc6

    SHA256

    23161fe3e700ea217ffb0f9669c5319e6be05fec2ac16f6f53ed85209ddc88e4

    SHA512

    f6b1e40a76963e2d0f0698d994c11b7aa18b9b914b44685dc3abf84d49a0e4420f5530a530d927be99c66d1ce77c95b6dd4d2e93c6789a63329b008bc1f23f31

    Download Submit

  • C:\Users\Admin\AppData\Roaming\813E8\84D2.13E
    Filesize

    600B

    MD5

    70fe26fdbcdd89fe8e023025f94b79ae

    SHA1

    75efff95f977b13b88bcf290719c87b7190ec1c8

    SHA256

    b81e406185c14fa919daaa3d3853132f9c3d7e802ad0d7e29284c2ff8521226a

    SHA512

    882e911328f05e078321a4be2922e490ac3fc016d7716e2c1b7257c076a7f721ab02d5be95fb7f874047e5036d0c124e292510e8b143a94f176938e3eb8417d1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\813E8\84D2.13E
    Filesize

    1KB

    MD5

    c36115c28bd100d817901f9f1744e3d5

    SHA1

    b71c08e93462b11baed7bc47d4c0d9513fc66c94

    SHA256

    3d8d9c5dac72605ae8fa232d4a9b60bb34a45ec6a761e7de1ce0049da9cd1eaa

    SHA512

    7d2771f9830e7a5b66b22109aefdda6888a070250948c75b7e6d5fc57dfa8c19226048aceca80dceb3ae1e722eeb94e4a0e21a34e742979026db1b35525d37f3

    Download Submit

  • \Program Files (x86)\LP\B668\368B.tmp
    Filesize

    96KB

    MD5

    527f2c593a00e7b581780ff5d476c10b

    SHA1

    7ec63f793da8694a84dd8b79f5816eb5066c7b8c

    SHA256

    8373bf5cfd979ce99a6639dbc0a672cfedc20415918ac9133a9cbca695725474

    SHA512

    c0ca9e2dbdc643e33e7f35e278ef972e5486b36284b8d75925490250fc1f66e8871401e643677ae54c2fd229730d6196ab70ee975045512279f7b33f48609b02

    Download Submit

  • memory/1304-13-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1304-16-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1304-115-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1304-0-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1304-3-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1304-2-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1304-313-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1304-317-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1588-117-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1644-18-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1644-15-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1644-17-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2376-314-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download