Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe
-
Size
142KB
-
MD5
a274d9390c73e94368ab71ca4f71a30f
-
SHA1
c7cf1c82d8015fc4e076c6d0c7bd5c481d835330
-
SHA256
977cd126d9bcb07446965bedcbfcb4f4f77db784d7da680331d6737aa27ff092
-
SHA512
bf84648b9b4dc1e9fbea927153130e5bc266bd3ec85e405fd5ac2b72d095ab4c5a0d2b144235b20f3e500006d8d7b4adbc4b9129db50dd980ab4ee044d527062
-
SSDEEP
3072:545DeCfjHvFRPW0rnRP3r2dIYBIkFem8RyON:58TFRPW0UIHkF58
Malware Config
Extracted
pony
http://carmine.warsheet.com:8080/forum/viewtopic.php
http://deswarlist.warsheet.com:8080/forum/viewtopic.php
http://easymailonline.com:8080/forum/viewtopic.php
http://holmesent.com:8080/forum/viewtopic.php
-
payload_url
http://pm.analytixsolutions.com/EYhWBb.exe
http://www.room-mategift.com/iuahp.exe
http://greenstationradio.com/oDgYxp.exe
http://84.1.156.73/nXrQgdV.exe
http://ez.ttgdevsite.com/2Ujt8j.exe
http://mayintansang.com/Ne69A0.exe
http://limon.basis5.com/xMJrJ.exe
Signatures
-
Pony family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeTcbPrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeBackupPrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeRestorePrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2340 a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a274d9390c73e94368ab71ca4f71a30f_JaffaCakes118.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- outlook_win_path
PID:2340