Analysis Overview
SHA256
4aae795faf59f3a25492cd7799c434f6183f4cbb476a51a5e4df766570a2c13c
Threat Level: Shows suspicious behavior
The file a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 18:33
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 18:33
Reported
2024-04-03 18:35
Platform
win7-20240221-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2924 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2924 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2924 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2924-1-0x0000000000890000-0x00000000008A7000-memory.dmp
memory/2924-8-0x0000000000890000-0x00000000008A7000-memory.dmp
memory/2924-11-0x00000000000E0000-0x00000000000F7000-memory.dmp
memory/3020-12-0x0000000000160000-0x0000000000177000-memory.dmp
C:\Windows\CTS.exe
| MD5 | e6150447c894ade7b2b9ee88d5933922 |
| SHA1 | dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1 |
| SHA256 | b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118 |
| SHA512 | d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0 |
C:\Users\Admin\AppData\Local\Temp\EazS9fthEXohdQn.exe
| MD5 | 053587750f94a02286bcefb845bdee49 |
| SHA1 | f19628d2ce2279238d2caea1ed6adbd086293ebc |
| SHA256 | 32006b6d177998be9aee1b81062d77413c20307aa8979eef3024fed4ef674a40 |
| SHA512 | 38d3445764f0766d066ab8b88e5a0ec7db18d758e431d1400eb9666465823f066a0539dc02d4faaedb0031956f656846d5a566c28a6169790230fa30e5b24282 |
memory/2924-18-0x00000000000E0000-0x00000000000F7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 18:33
Reported
2024-04-03 18:35
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2744 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2744 wrote to memory of 2188 | N/A | C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a379c16f2858be2cefdc91878c3d8b8e_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/2744-0-0x0000000000D10000-0x0000000000D27000-memory.dmp
C:\Windows\CTS.exe
| MD5 | e6150447c894ade7b2b9ee88d5933922 |
| SHA1 | dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1 |
| SHA256 | b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118 |
| SHA512 | d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0 |
memory/2744-9-0x0000000000D10000-0x0000000000D27000-memory.dmp
memory/2188-7-0x00000000000A0000-0x00000000000B7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 89c24fe436ed7fce6544ff9769badbc1 |
| SHA1 | cadde4fc64d0a51ca5e7009b392a96a782dbfdbe |
| SHA256 | 0b40a488f80431f0694b811471f2f99755d37e60c325e9f31baf6170391099a4 |
| SHA512 | 2350050e364decf6e35c63859b467d073c4062ac1a41cfdad9bcf6816abb0e1047feece20d84fe267a02daf2cc6f728eb1f546922eea7b80d6f5c8ac4203b187 |
C:\Users\Admin\AppData\Local\Temp\3aG5kzT8mNhICe4.exe
| MD5 | 8268e43cf36bbed9f57c692f339f8a8e |
| SHA1 | 8a83f826d378f0459795a24223012d4d7173cb32 |
| SHA256 | bdfdeda7c8b740762d25f85e5861d778ac683cb95f5aeae310257c3f0bddec43 |
| SHA512 | 3cded61715b29408d30e2ba716e472408e9f1a17d38acfcd91a807835c2e0493b8b28492f45a996fcb61b43d12f01695f7fb300c4fe9d736caf1cf1ecb6fd83d |
memory/2188-31-0x00000000000A0000-0x00000000000B7000-memory.dmp