b965aa1eeab51b3da2794567479d289c5ab0682a56290caf4624b8cf77a6e49e

General

Target

2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe
Size

1.8MB
MD5

2a215e8c8bb19eb81f3d87b836a9962d
SHA1

b6eaec4687868eae433005976d64ea2b5400dfa9
SHA256

b965aa1eeab51b3da2794567479d289c5ab0682a56290caf4624b8cf77a6e49e
SHA512

5e41b9c3b8314a58bce94a54d3963af83381df82432b7631ba5a370eb16f713752cab23101c886ea1963b86a413139e75bc04def50f787cfda2a6bc54598c427
SSDEEP

49152:SmUqJjkupV6YbA9HHAWWrVRiyPlv283J5tz1Ow/S:W43pZsVWJIyPlO85zr6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
308	NDBBWSJAAiX7Vqj.exe
2028	CTS.exe
2656	NDBBWSJAAiX7Vqj.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe
308	NDBBWSJAAiX7Vqj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000D60000-0x0000000000D77000-memory.dmp	upx
behavioral1/files/0x000d000000012331-16.dat	upx
behavioral1/memory/2028-20-0x0000000000A60000-0x0000000000A77000-memory.dmp	upx
behavioral1/memory/2320-11-0x0000000000D60000-0x0000000000D77000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	NDBBWSJAAiX7Vqj.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	NDBBWSJAAiX7Vqj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	NDBBWSJAAiX7Vqj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe
Token: SeDebugPrivilege	2028	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2656	NDBBWSJAAiX7Vqj.exe
2656	NDBBWSJAAiX7Vqj.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 308	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2028	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2028	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2028	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	29
PID 2320 wrote to memory of 2028	2320	2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe	29
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30
PID 308 wrote to memory of 2656	308	NDBBWSJAAiX7Vqj.exe	30

C:\Users\Admin\AppData\Local\Temp\2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a215e8c8bb19eb81f3d87b836a9962d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\NDBBWSJAAiX7Vqj.exe
  C:\Users\Admin\AppData\Local\Temp\NDBBWSJAAiX7Vqj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Local\Temp\jds259396824.tmp\NDBBWSJAAiX7Vqj.exe
    "C:\Users\Admin\AppData\Local\Temp\jds259396824.tmp\NDBBWSJAAiX7Vqj.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2656
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
fc454747f76e07f6a5ee4969c17c4c0c

SHA1
995b1d9b669988dafa11d999a8041c62b71bc356

SHA256
23131cc85c8bbea806184afd793b528da81a86564a8d4784c4b609ae29af515d

SHA512
e2a360957406239291ca54f17f5c9a50f4ce547405ef429e676ee20cb633fd177f6db97518f6135c1f9065d5e088dd8e0a1101099ac9f09630fe18501b15d261

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
fad4f7850553a695b418e9ab380db4bf

SHA1
a6dbba42743416ce1d8d36ec80592399de29dce5

SHA256
4c6c9a4bf030b7b813d41c640abe9876ad8dd372835982ef5c1938e1ab666eab

SHA512
0dd0f0880a1552cf8c3998ab31e7985c0216302fb1f396b0ca6e9aa5821f044ec7a1a224d9713a9d717619d7a3a5563ff09072516ee62080552d68e440153e46

Download Submit
C:\Windows\CTS.exe

Filesize
32KB

MD5
ac66dea95d4b0359164c31b135841b2a

SHA1
7038ec1bd5e9860154e5de4a100f0ec4a67fb2dd

SHA256
9768adefcfb9e4781b55cee28b2dd5db68086ad998b70c82e8b2a6c3f4b56c53

SHA512
fdf360c6dbe4ea57acde1d4a234f378fe9d408cd154c2dfd6a2d954ae3795523ae09477d77bac8e8d326991ee678af6dc502071f22e3e692e1ec37c0ed269bf3

Download Submit
\Users\Admin\AppData\Local\Temp\NDBBWSJAAiX7Vqj.exe

Filesize
1.8MB

MD5
544e07d620d3108b9b6aa3384d02dea5

SHA1
9897596f3c4ec39e38ef7f1081783db7693ae0b2

SHA256
a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8

SHA512
3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

Download Submit
\Users\Admin\AppData\Local\Temp\jds259396824.tmp\NDBBWSJAAiX7Vqj.exe

Filesize
1.6MB

MD5
109cbe148f827137c3ba62261f01b29b

SHA1
2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12

SHA256
394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a

SHA512
a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

Download Submit
memory/2028-20-0x0000000000A60000-0x0000000000A77000-memory.dmp

Filesize
92KB

Download
memory/2320-0-0x0000000000D60000-0x0000000000D77000-memory.dmp

Filesize
92KB

Download
memory/2320-17-0x00000000000E0000-0x00000000000F7000-memory.dmp

Filesize
92KB

Download
memory/2320-14-0x00000000000E0000-0x00000000000F7000-memory.dmp

Filesize
92KB

Download
memory/2320-11-0x0000000000D60000-0x0000000000D77000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads