Overview

overview

10

Static

static

3

26694ba398...18.exe

windows7-x64

10

26694ba398...18.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    26694ba398b51503fea398627ea8ce70_JaffaCakes118

  • Size

    808KB

  • Sample

    240704-137pcsthpc

  • MD5

    26694ba398b51503fea398627ea8ce70

  • SHA1

    1c9de5840af45400cfd0f9f1f671a04140f75e4b

  • SHA256

    a45da2c6bd8b5d30280c52ae6a834e776dd5b46f41ae4f93a97e3ed66d4138fd

  • SHA512

    319ef167ed8fad16a9740568f63fd557723b7fc92713e15ce1e1a3dcbf749d27ba0278d18a137c3d945fbd142d697bd57646143b5d4688904ab5f99aecf69b6c

  • SSDEEP

    12288:08tAkq7VWdT2z8q3cn+DC+UpuGCxK4Oe1rXjBHo9XIQt1uPwPUB7MdkWPDruhQx4:08t7qgC8mc+DRGaTjBUXIwuPB8Dr

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Targets

    • Target

      26694ba398b51503fea398627ea8ce70_JaffaCakes118

    • Size

      808KB

    • MD5

      26694ba398b51503fea398627ea8ce70

    • SHA1

      1c9de5840af45400cfd0f9f1f671a04140f75e4b

    • SHA256

      a45da2c6bd8b5d30280c52ae6a834e776dd5b46f41ae4f93a97e3ed66d4138fd

    • SHA512

      319ef167ed8fad16a9740568f63fd557723b7fc92713e15ce1e1a3dcbf749d27ba0278d18a137c3d945fbd142d697bd57646143b5d4688904ab5f99aecf69b6c

    • SSDEEP

      12288:08tAkq7VWdT2z8q3cn+DC+UpuGCxK4Oe1rXjBHo9XIQt1uPwPUB7MdkWPDruhQx4:08t7qgC8mc+DRGaTjBUXIwuPB8Dr

    Score
    10/10
    ponydiscoveryevasionpersistenceratspywarestealerupx

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Disables taskbar notifications via registry modification

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

6
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks