Overview

overview

10

Static

static

3

JaffaCakes...5e.exe

windows7-x64

10

JaffaCakes...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 18:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe

  • Size

    80KB

  • MD5

    8fee18f173182330b846e3072bfe525e

  • SHA1

    a5979634d4fec771ba68806dd840378c140a8b2a

  • SHA256

    05065af2d4c16c65688a9efaa33c10fd9d36aa7fccf8b68621812db19456e4e6

  • SHA512

    2226a301343ccac1b05395e371006fdb2a1ad7419af5fb4f7bdd38427d0ec416a1e945f7174b8a73ff47e80079c18c59fa6977aaae2fe527a9f68473f0c9edee

  • SSDEEP

    1536:GGc5gq5nde3r4ZXsRe9Pbd0AwLOTYRdAKGmaeQe95DNSquOLcuer/E9kCA:GGc7cb41rtTYv+FevcfOLcuCwfA

Score
10/10
ponycredential_accessdefense_evasiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://klearcity.info:2346/pony/mac.php

http://slomtexs.info:2346/pony/mac.php
Attributes
  • payload_url

    http://klearcity.info:2346/pony/view/kos.exe

Signatures

  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Drops file in Drivers directory 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe"
    1⤵
    • Drops file in Drivers directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c at 22:58:00 cmd.exe /c copy %TEMP%\259521406FdOh %WINDIR%\system32\drivers\etc\hosts /Y && rename %WINDIR%\system32\drivers\etc\hosts hosts.sys
      2⤵
        PID:2940
        • C:\Windows\SysWOW64\at.exe
          at 22:58:00 cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\259521406FdOh C:\Windows\system32\drivers\etc\hosts /Y
          3⤵
            PID:2900
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 259521438 /t REG_SZ /d "cmd.exe /c copy %TEMP%\259521406FdOh %WINDIR%\system32\drivers\etc\hosts /Y && attrib +H %WINDIR%\system32\drivers\etc\hosts /f
          2⤵
          • Hide Artifacts: Hidden Files and Directories
          PID:2932
          • C:\Windows\SysWOW64\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run /v 259521438 /t REG_SZ /d "cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\259521406FdOh C:\Windows\system32\drivers\etc\hosts /Y && attrib +H C:\Windows\system32\drivers\etc\hosts /f
            3⤵
            • Hide Artifacts: Hidden Files and Directories
            PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe" "
          2⤵
            PID:2820

        Network

        • flag-us
          DNS
          klearcity.info
          JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe
          Remote address:
          8.8.8.8:53
          Request
          klearcity.info
          IN A
          Response
        • flag-us
          DNS
          slomtexs.info
          JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe
          Remote address:
          8.8.8.8:53
          Request
          slomtexs.info
          IN A
          Response
        No results found
        • 8.8.8.8:53
          klearcity.info
          dns
          JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe
          60 B
           139 B
           1
          1

          DNS Request

          klearcity.info

        • 8.8.8.8:53
          slomtexs.info
          dns
          JaffaCakes118_8fee18f173182330b846e3072bfe525e.exe
          59 B
           138 B
           1
          1

          DNS Request

          slomtexs.info

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\abcd.bat
          Filesize

          75B

          MD5

          0849cfe65b98ba5fcd9a9ec61a671d09

          SHA1

          9d0ccb383c32b1bc07fd9064b9324a18e1276902

          SHA256

          44f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643

          SHA512

          afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a

          Download Submit

        • memory/2260-0-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2260-1-0x000000000040E000-0x0000000000413000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2260-2-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2260-3-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2260-4-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2260-5-0x000000000040E000-0x0000000000413000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2260-24-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.