Malware Analysis Report

2025-03-14 22:55

Sample ID 240406-1nkw2sbh61
Target e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118
SHA256 37853b0280f64aeb6bec0801d3622d830aea503c77d657ac430b40c4d065fa33
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

37853b0280f64aeb6bec0801d3622d830aea503c77d657ac430b40c4d065fa33

Threat Level: Shows suspicious behavior

The file e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:47

Reported

2024-04-06 21:50

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/3040-0-0x0000000000A90000-0x0000000000AA7000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/3040-7-0x0000000000A90000-0x0000000000AA7000-memory.dmp

memory/2908-9-0x0000000000420000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 732ef53e9ecd06b1daf5d77b6b191f23
SHA1 31b5aec4b8eb7274a6d822a67d682344fe45ac09
SHA256 6d5a97e14585be3e587a69e635764a943ded61bc22dd5ccd78046903b0a73e42
SHA512 f620316e9b7858d11c3b0ae44aa3c7aa31b29db7bdcd215faf4310c1ff52475448dc2160036f0b9834110d0fa3bf88daf981613035281d3f6371c95beacce7de

C:\Users\Admin\AppData\Local\Temp\OtVOqOrk4tNx3Zx.exe

MD5 70bf8ab30a6f158d8b7372aa02c6112f
SHA1 95d02dbf9792b89df3a55cee96ce50ea936b9552
SHA256 04c0bfc3ac410ead528e907732104cfc512853afea76577278fa1f04cdf879da
SHA512 c7466a1dc3baf8f2d8cda0e9f27c9a3b543c521efde54cf7e497d0b02840ae92200cb45ac6e609e814699fdf22aadb9493e22bab3de94e11dbdf9a295aef9122

memory/2908-32-0x0000000000420000-0x0000000000437000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:47

Reported

2024-04-06 21:50

Platform

win7-20240221-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35b8b5b1062c2c63e3d1177c4851ed6_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1624-1-0x0000000000F90000-0x0000000000FA7000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/1624-8-0x0000000000F90000-0x0000000000FA7000-memory.dmp

memory/2188-11-0x0000000000AC0000-0x0000000000AD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h2DQUSmbJudKNi3.exe

MD5 79ea79f02ecec23bf9863c20429e5ec7
SHA1 d9a63dd23bdd1d385a3c3246f7cbd633c79bb327
SHA256 f38c83713cd055cb517115728be934ae6ea314f372720d3c152bad6f430edd97
SHA512 78f31f83e9a407c749bb84a7693eea3ed26e2a9ee2c32d51245f3c2c64803bd3cf29efe190ba9ac98cefaef72af1d8fd31688067c594db8f8d7086ae64edc8bb