Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 18:33
Behavioral task
behavioral1
Sample
a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe
-
Size
28KB
-
MD5
a379c16f2858be2cefdc91878c3d8b8e
-
SHA1
67df0060e3327390e23fd26a67ae1ec34397535e
-
SHA256
4aae795faf59f3a25492cd7799c434f6183f4cbb476a51a5e4df766570a2c13c
-
SHA512
26e4aca3c6816c04bddef6ca4c08e708a20ddb52f2924de8cf06792053d3859d86d9b1c0e64e9f0e6d8bd118822509d71e61fa6ee55df67c3782f3b663395742
-
SSDEEP
768:eyX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIoR:egKcR4mjD9r82w
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3020 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2924-1-0x0000000000890000-0x00000000008A7000-memory.dmp upx behavioral1/memory/2924-8-0x0000000000890000-0x00000000008A7000-memory.dmp upx behavioral1/memory/3020-12-0x0000000000160000-0x0000000000177000-memory.dmp upx behavioral1/files/0x000c000000016056-10.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2924 a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe Token: SeDebugPrivilege 3020 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3020 2924 a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe 28 PID 2924 wrote to memory of 3020 2924 a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe 28 PID 2924 wrote to memory of 3020 2924 a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe 28 PID 2924 wrote to memory of 3020 2924 a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
289B
MD5053587750f94a02286bcefb845bdee49
SHA1f19628d2ce2279238d2caea1ed6adbd086293ebc
SHA25632006b6d177998be9aee1b81062d77413c20307aa8979eef3024fed4ef674a40
SHA51238d3445764f0766d066ab8b88e5a0ec7db18d758e431d1400eb9666465823f066a0539dc02d4faaedb0031956f656846d5a566c28a6169790230fa30e5b24282
-
Filesize
28KB
MD5e6150447c894ade7b2b9ee88d5933922
SHA1dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1
SHA256b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118
SHA512d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0