Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
04-07-2024 08:09
General
-
Target
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe
-
Size
278KB
-
MD5
253a01a3885449b469b5d48701c1f1b0
-
SHA1
c152218d2ed37052b8e5808c45246bbb0dd7f8cd
-
SHA256
54eead45e2f5c5d49a65e9b6d2ccb79dad19acd6952713dddbdb1deedac57936
-
SHA512
91f30a2ccf7f2ed339c7531f130058af77629ccf538da88c819b5994cfdc13ff343d4cd52bc676436de201ad2252e7db5f8a3692b50fee146c72681b3cc8f089
-
SSDEEP
6144:rwmpb9Zz43C+A9cvUEEpXYMSkDZcxOqcDIrM:rwml9t43CTAM1uZA
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\ECE51\EBC4E.exe%C:\Users\Admin\AppData\Roaming\ECE512⤵
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe startC:\Program Files (x86)\512A0\lvvm.exe%C:\Program Files (x86)\512A02⤵
-
C:\Program Files (x86)\LP\4E5E\8D42.tmp"C:\Program Files (x86)\LP\4E5E\8D42.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ECE51\12A0.CE5Filesize
600B
MD5c6c26586c79f8814081b8e76ac3eb12e
SHA1c0a3690a8589976ee53765e35d8beb7c27160e5f
SHA256501c84b09ca721723ac1fdafc4eb58142f0fb3913809624de78330698f058668
SHA512dbc4415ae78299558ed95e8332f5cc81984dca8a9e03b5ee84032f54146ffe8eb7c714367505995c65644abf756698c3fea5fa0e33728734999262c4a3bd802a
-
C:\Users\Admin\AppData\Roaming\ECE51\12A0.CE5Filesize
1KB
MD540c7fe7d802473d54079644f2e41ce34
SHA185d6bb79f96427019ba5c94dacc3cbf2146d65fe
SHA256d6a72edfd903e9de00d2f867b6c2e8d4c2a41c10b94492e72786becf29105f0d
SHA512cc57457f86948fc007440ba2f577551823e4c6b572f5cbe1a6c3e12ba1440d5288519bb3f04bd2d19db7dd2598915e26985ccadc50d2813f83c49ea4cb391177
-
C:\Users\Admin\AppData\Roaming\ECE51\12A0.CE5Filesize
996B
MD531ce78fb303023525a312955333db42d
SHA1577df2fb7606367de8796711322e7c8ebd531645
SHA2566e7f64919c2e77f59bb2c51f9332e4e6376833a679734f2ae71d95ac9da136ec
SHA512db461f41a476bb23e10a46c4ddf2f34cf8467e0b54bb8f9a9240940e7e7835f63d89c18d70e1674367979a56abf5832593be89861c99b59639897a77afa4c424
-
\Program Files (x86)\LP\4E5E\8D42.tmpFilesize
97KB
MD578193d48f57272fd9ea2e44ed86d608c
SHA11e70368bb5a0932f868fdddb22fd23dd2e7dedeb
SHA256c09d0876bbf956eb381d92a3e9dd61d49a4d65c1d2b65d3d42cb795256804aae
SHA5124f55914fe2d3780f174843b9f3666a10f63caae9634af925da3dc6aea5a3f6ab9e6ebf693698b781931ce794919558c59f7bfa22be94dc8b556784d948fa14c1
-
memory/744-12-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/744-13-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1196-193-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2468-74-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-2-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-75-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2468-159-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-14-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-1-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2468-194-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/3008-73-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3008-72-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB