General

  • Target

    8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118

  • Size

    1.9MB

  • Sample

    241103-zxldhatmc1

  • MD5

    8d823732d7c08e9d006ad28dcfcd9853

  • SHA1

    50bd2a3e3d9cb967c8aa9fd72bb0a2626d350da3

  • SHA256

    645397aa16ec0291f74945cc4d4a535d7a8b26b1ac11629be76a91f50124c658

  • SHA512

    9be430e058188fd78d2134eb002f55c8206f1b16edd9f9d27f1cdcf18a1c840202ddfabd7cfa6012c64467f426db58d5ba76f961844f09859cbade5dc72aada3

  • SSDEEP

    49152:6yH9zPqoEUP/QsGDFxUGXET3pb2uQUr3ZAK6SQKS:RHZhgFxUfT3gu3r3ZAn

Malware Config

Targets

    • Target

      8d823732d7c08e9d006ad28dcfcd9853_JaffaCakes118

    • Size

      1.9MB

    • MD5

      8d823732d7c08e9d006ad28dcfcd9853

    • SHA1

      50bd2a3e3d9cb967c8aa9fd72bb0a2626d350da3

    • SHA256

      645397aa16ec0291f74945cc4d4a535d7a8b26b1ac11629be76a91f50124c658

    • SHA512

      9be430e058188fd78d2134eb002f55c8206f1b16edd9f9d27f1cdcf18a1c840202ddfabd7cfa6012c64467f426db58d5ba76f961844f09859cbade5dc72aada3

    • SSDEEP

      49152:6yH9zPqoEUP/QsGDFxUGXET3pb2uQUr3ZAK6SQKS:RHZhgFxUfT3gu3r3ZAn

    • Modifies security service

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Disables taskbar notifications via registry modification

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks