General
-
Target
1b51840b9af837bd65732bcc6300740e_JaffaCakes118
-
Size
153KB
-
Sample
240701-p717lasgmc
-
MD5
1b51840b9af837bd65732bcc6300740e
-
SHA1
4899fa8f8df8bc923bd300ff079ffb89e960890f
-
SHA256
7762218a83a5727fb397da102dff3b99419bdd0e0f15c1b7f09898010faa780c
-
SHA512
115b9d7f520ef62fe323a7986131c11a14ae77237a9a63637257827665f9aa7b1bf876a35abada3f2f0eaa68794efd75d355e086b3188f872d0752b7ac96cc92
-
SSDEEP
3072:QGXG0qvTNFMJFHXQEkQkS6vmCNQMblOZhpwXuqOmg:QGXSvTNFMHHXQHQkjNVl4wXBz
Static task
static1
Behavioral task
behavioral1
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
pony
http://67.215.225.205:8080/ponys/gate.php
http://216.231.139.111/ponys/gate.php
-
payload_url
http://123-engagement-ring.com/F2ziEErm.exe
http://sultanesmonterrey.com/6VRjCFx.exe
http://cafedoc.info/BxvUvh.exe
http://butelii-oxigen.ro/fojJM.exe
http://aurangabadproperties.com/rfoMUzmK.exe
Targets
-
-
Target
1b51840b9af837bd65732bcc6300740e_JaffaCakes118
-
Size
153KB
-
MD5
1b51840b9af837bd65732bcc6300740e
-
SHA1
4899fa8f8df8bc923bd300ff079ffb89e960890f
-
SHA256
7762218a83a5727fb397da102dff3b99419bdd0e0f15c1b7f09898010faa780c
-
SHA512
115b9d7f520ef62fe323a7986131c11a14ae77237a9a63637257827665f9aa7b1bf876a35abada3f2f0eaa68794efd75d355e086b3188f872d0752b7ac96cc92
-
SSDEEP
3072:QGXG0qvTNFMJFHXQEkQkS6vmCNQMblOZhpwXuqOmg:QGXSvTNFMHHXQHQkjNVl4wXBz
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Modify Registry
1