3bf8c5076c5c4b62a88a5ea7dfccd4bc7874abc187a68135c1287c6203895ef6

General

Target

d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
Size

692KB
MD5

d0662614f5e16db952e76910d1cc305e
SHA1

959b9a35fd871eb91c76da3133c20fe6023b0418
SHA256

3bf8c5076c5c4b62a88a5ea7dfccd4bc7874abc187a68135c1287c6203895ef6
SHA512

0d94daa0673929d02fba197a3ff056811b07a7895b9b4d7c4b22cff18316338c35a426303e125f79df673abae3b205b1265138a19fe6b26830a21d982dc383db
SSDEEP

12288:smJyVADu7+UY7eaPAGjY6Wz8/lHKmH8QyAaVunCM094qGoBhkFGd+pg:hpH73AG8r8/lqmH8QyAggg4qGmhkVpg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1700	ETGxGyLJqvqTxZF.exe
2212	CTS.exe
1264	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1164-0-0x0000000000BF0000-0x0000000000C09000-memory.dmp	upx
behavioral1/memory/1164-14-0x0000000000BF0000-0x0000000000C09000-memory.dmp	upx
behavioral1/files/0x000800000001220a-16.dat	upx
behavioral1/memory/2212-18-0x0000000000C80000-0x0000000000C99000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
Token: SeDebugPrivilege	2212	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1700	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	28
PID 1164 wrote to memory of 1700	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	28
PID 1164 wrote to memory of 1700	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	28
PID 1164 wrote to memory of 1700	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	28
PID 1164 wrote to memory of 2212	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	29
PID 1164 wrote to memory of 2212	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	29
PID 1164 wrote to memory of 2212	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	29
PID 1164 wrote to memory of 2212	1164	d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0662614f5e16db952e76910d1cc305e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\ETGxGyLJqvqTxZF.exe
  C:\Users\Admin\AppData\Local\Temp\ETGxGyLJqvqTxZF.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CTS.exe

Filesize
118KB

MD5
f3a5f1a9498a80d37ad51a465a73bbbe

SHA1
cf0373fb9837de6a67e18f1896258cb99005037b

SHA256
c77cd8b176021d3c9c3c2822691ed40dbda40a9cecb64b4db0cf3630af6cbbc0

SHA512
bdbd9334784577ac625375c1a5f1974ae68040b42d5b09e399c58bc531112d272a9d799747183e9d5704b5a59c2e39e37c3ed887ad84b73f89c51835afecb7cc

Download Submit
\Users\Admin\AppData\Local\Temp\ETGxGyLJqvqTxZF.exe

Filesize
574KB

MD5
6503efe0a01c2d50c97be27f3cb10a43

SHA1
a0cb3708603a18f02352d01ec672020e5bad5073

SHA256
0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e

SHA512
ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

Download Submit
memory/1164-0-0x0000000000BF0000-0x0000000000C09000-memory.dmp

Filesize
100KB

Download
memory/1164-14-0x0000000000BF0000-0x0000000000C09000-memory.dmp

Filesize
100KB

Download
memory/1164-15-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download
memory/1164-21-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download
memory/2212-18-0x0000000000C80000-0x0000000000C99000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads