Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-01-2025 15:32
General
-
Target
JaffaCakes118_7a738efc167437443992fac4788429f4.exe
-
Size
91KB
-
MD5
7a738efc167437443992fac4788429f4
-
SHA1
9795a60cece2587c303b854fb73bbd6fd1ef27d1
-
SHA256
38000ba095293a0bac17a5d9178729c447c3c23341c04a924134ba2c249e1f95
-
SHA512
99b9f6c49b47d8ff96b4ac4a9d14b0aa488f406a24129db000b2d6a58579e1b956890037a415539bbd0dbb8387463ddeae24f8029005eaf46d1025543333f461
-
SSDEEP
1536:5VAWOyeKz4qTBQNBynjVyeUPlihpON+BdOgcZTvVkzbu/1:D3FeADjVyewohddOgDu/1
Malware Config
Signatures
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a738efc167437443992fac4788429f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a738efc167437443992fac4788429f4.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path