Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
11-12-2024 08:13
General
-
Target
e095a48a8020d7628707035e673f2090_JaffaCakes118.exe
-
Size
113KB
-
MD5
e095a48a8020d7628707035e673f2090
-
SHA1
fe91572924f7272d207f90dadbffb137c3f78e8f
-
SHA256
8c133ec84c6159cf5b55634cbb3618a2de0e84d50dcc516df4d94d22b8ab20dd
-
SHA512
650e05b398f51665d3b9998701246669b3414a7e68c939b51ddfd1f18dc93085b96fd7a24d4373d34c3b53ea2c04c2ec46b2ff6ff3938f013d555e38e1503304
-
SSDEEP
3072:TFEo/7cvuLDmnvAF3syuntCwn5XXioeL4:TFEoDcvuLDm4FsntNXXO4
Malware Config
Extracted
pony
http://lkrjoa.info:4915/way/like.php
http://kliuyehu.info:4915/way/like.php
http://mstyrde.info:4915/way/upd
Signatures
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e095a48a8020d7628707035e673f2090_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e095a48a8020d7628707035e673f2090_JaffaCakes118.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 08:16:00 /every:T,M,Th,F,W,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259490331 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts && erase %TEMP%\e095a48a8020d7628707035e673f2090_JaffaCakes118.exe" && copy %WINDIR%\system32\drivers\etc\hosts %WINDIR%\system32\drivers\etc\hosts.sam /Y2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 08:16:00 /every:T,M,Th,F,W,S,Su cmd.exe "/c attrib -H C:\Windows\system32\drivers\etc\hosts && copy C:\Users\Admin\AppData\Local\Temp\259490331 C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts && erase C:\Users\Admin\AppData\Local\Temp\e095a48a8020d7628707035e673f2090_JaffaCakes118.exe"3⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
20KB
-
Filesize
160KB
-
Filesize
160KB