Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-w7behahd83
Target a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118
SHA256 4aae795faf59f3a25492cd7799c434f6183f4cbb476a51a5e4df766570a2c13c
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4aae795faf59f3a25492cd7799c434f6183f4cbb476a51a5e4df766570a2c13c

Threat Level: Shows suspicious behavior

The file a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:33

Reported

2024-04-03 18:35

Platform

win7-20240221-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2924-1-0x0000000000890000-0x00000000008A7000-memory.dmp

memory/2924-8-0x0000000000890000-0x00000000008A7000-memory.dmp

memory/2924-11-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/3020-12-0x0000000000160000-0x0000000000177000-memory.dmp

C:\Windows\CTS.exe

MD5 e6150447c894ade7b2b9ee88d5933922
SHA1 dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1
SHA256 b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118
SHA512 d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

C:\Users\Admin\AppData\Local\Temp\EazS9fthEXohdQn.exe

MD5 053587750f94a02286bcefb845bdee49
SHA1 f19628d2ce2279238d2caea1ed6adbd086293ebc
SHA256 32006b6d177998be9aee1b81062d77413c20307aa8979eef3024fed4ef674a40
SHA512 38d3445764f0766d066ab8b88e5a0ec7db18d758e431d1400eb9666465823f066a0539dc02d4faaedb0031956f656846d5a566c28a6169790230fa30e5b24282

memory/2924-18-0x00000000000E0000-0x00000000000F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:33

Reported

2024-04-03 18:35

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/2744-0-0x0000000000D10000-0x0000000000D27000-memory.dmp

C:\Windows\CTS.exe

MD5 e6150447c894ade7b2b9ee88d5933922
SHA1 dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1
SHA256 b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118
SHA512 d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

memory/2744-9-0x0000000000D10000-0x0000000000D27000-memory.dmp

memory/2188-7-0x00000000000A0000-0x00000000000B7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 89c24fe436ed7fce6544ff9769badbc1
SHA1 cadde4fc64d0a51ca5e7009b392a96a782dbfdbe
SHA256 0b40a488f80431f0694b811471f2f99755d37e60c325e9f31baf6170391099a4
SHA512 2350050e364decf6e35c63859b467d073c4062ac1a41cfdad9bcf6816abb0e1047feece20d84fe267a02daf2cc6f728eb1f546922eea7b80d6f5c8ac4203b187

C:\Users\Admin\AppData\Local\Temp\3aG5kzT8mNhICe4.exe

MD5 8268e43cf36bbed9f57c692f339f8a8e
SHA1 8a83f826d378f0459795a24223012d4d7173cb32
SHA256 bdfdeda7c8b740762d25f85e5861d778ac683cb95f5aeae310257c3f0bddec43
SHA512 3cded61715b29408d30e2ba716e472408e9f1a17d38acfcd91a807835c2e0493b8b28492f45a996fcb61b43d12f01695f7fb300c4fe9d736caf1cf1ecb6fd83d

memory/2188-31-0x00000000000A0000-0x00000000000B7000-memory.dmp