Analysis Overview
SHA256
2893414729b99df78bfbed0b2f77cce9a24188034dc1ba13b509521fb8300d77
Threat Level: Known bad
The file JaffaCakes118_c731dcecf223e70b090a382243fb1673 was found to be: Known bad.
Malicious Activity Summary
Pony family
Pony,Fareit
Deletes itself
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Checks computer location settings
Reads data files stored by FTP clients
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:02
Reported
2025-01-19 12:05
Platform
win7-20240903-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Pony family
Pony,Fareit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1728 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1728 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1728 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | curcamel.com | udp |
| US | 8.8.8.8:53 | curcandy.com | udp |
| US | 8.8.8.8:53 | curcharge.com | udp |
| US | 34.205.242.146:80 | curcharge.com | tcp |
| US | 8.8.8.8:53 | sadropped.com | udp |
| US | 8.8.8.8:53 | extrarot.eu | udp |
| US | 8.8.8.8:53 | www.o365.gr | udp |
| DE | 167.235.94.172:80 | www.o365.gr | tcp |
| US | 8.8.8.8:53 | www.top59serv.ro | udp |
| RO | 45.153.88.156:80 | www.top59serv.ro | tcp |
| RO | 45.153.88.156:443 | www.top59serv.ro | tcp |
| US | 8.8.8.8:53 | minus18degrees.com | udp |
Files
memory/1728-1-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1728-0-0x0000000001D20000-0x0000000001E20000-memory.dmp
memory/1728-2-0x0000000001D20000-0x0000000001E20000-memory.dmp
memory/1728-3-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1728-4-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ytk.bat
| MD5 | e6b031b9b7d40fa332ebc6f38b2f9f64 |
| SHA1 | d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f |
| SHA256 | 66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b |
| SHA512 | 7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:02
Reported
2025-01-19 12:05
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Pony family
Pony,Fareit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 968 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 968 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 968 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c731dcecf223e70b090a382243fb1673.exe" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | curcamel.com | udp |
| US | 8.8.8.8:53 | curcandy.com | udp |
| US | 8.8.8.8:53 | curcharge.com | udp |
| US | 3.18.7.81:80 | curcharge.com | tcp |
| US | 8.8.8.8:53 | sadropped.com | udp |
| US | 8.8.8.8:53 | extrarot.eu | udp |
| US | 8.8.8.8:53 | www.o365.gr | udp |
| DE | 167.235.94.172:80 | www.o365.gr | tcp |
| US | 8.8.8.8:53 | www.top59serv.ro | udp |
| RO | 45.153.88.156:80 | www.top59serv.ro | tcp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.7.18.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.94.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.88.153.45.in-addr.arpa | udp |
| RO | 45.153.88.156:443 | www.top59serv.ro | tcp |
| US | 8.8.8.8:53 | minus18degrees.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/968-0-0x00000000021E0000-0x00000000022E0000-memory.dmp
memory/968-1-0x0000000000400000-0x0000000000415000-memory.dmp
memory/968-6-0x0000000000400000-0x0000000000415000-memory.dmp
memory/968-5-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ytk.bat
| MD5 | e6b031b9b7d40fa332ebc6f38b2f9f64 |
| SHA1 | d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f |
| SHA256 | 66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b |
| SHA512 | 7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948 |