Malware Analysis Report

2025-03-14 22:37

Sample ID 240406-1yf1vada37
Target e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118
SHA256 0a0cd3ecbbc8ab5fc71c8f797dafade5fa56390a87ccf5ba99bcfce2d85ff171
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0a0cd3ecbbc8ab5fc71c8f797dafade5fa56390a87ccf5ba99bcfce2d85ff171

Threat Level: Shows suspicious behavior

The file e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:03

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:03

Reported

2024-04-06 22:05

Platform

win7-20240220-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2792-0-0x0000000001160000-0x0000000001177000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/2792-11-0x0000000000E80000-0x0000000000E97000-memory.dmp

memory/2492-12-0x0000000000E80000-0x0000000000E97000-memory.dmp

memory/2792-8-0x0000000001160000-0x0000000001177000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GCbXxZFC82bcbjD.exe

MD5 4e2feac4500e19e44c93e878d01089c4
SHA1 0d2c7d9542f1d55aaa3708993e2f8ed31b40f764
SHA256 7b1544c39e9dc3cbac2a74ad780b143363f93e6108655df8259ef0995553b520
SHA512 bc5181389ff1e60afb96d8a15243238fbb9e7a8e4ab64f62f72c3555d36b7cffdd33e0ec757ad5912e7adaae1af5f5fa70b62d4541c41bbb97d4696d38109dda

memory/2792-19-0x0000000000E80000-0x0000000000E97000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:03

Reported

2024-04-06 22:05

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

memory/5084-0-0x0000000000C50000-0x0000000000C67000-memory.dmp

memory/5084-8-0x0000000000C50000-0x0000000000C67000-memory.dmp

memory/1144-7-0x0000000000830000-0x0000000000847000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 869a2b6068aff615da1bd23d00c3642e
SHA1 f1ff41e8d0afe2723040e7ff53f3b4af53251adf
SHA256 1995f0235e8aadf1fa2a4db0ea04a55554c6e7d5bd49ad92636400708dc63a1a
SHA512 0ca4fa80140b14748c70e7de6b18bdaeeb1639e7a47fe804257d75260c78aed8025b45ad06c7c7541876cdee403dd606ccccab0a892b38f54c6f5b08a157ed64

C:\Users\Admin\AppData\Local\Temp\QD0bhhw1dMoVqkx.exe

MD5 b641199bac041fe6ab5526bdf34119a2
SHA1 ab6ae04f6853bc7a40bb01ee8bb683f78baf923e
SHA256 b683030b391461fff4d0d4888dc2855bc50992254328989d7bcedeafe1d3234b
SHA512 39ac77565efb9be0aed4e6884e0dc334d51664212fa36a4722a015cf968f812eb1d751ff4e4873a600fd4e20e299b212a45e4ead9338d1fccd999925005068d9

memory/1144-33-0x0000000000830000-0x0000000000847000-memory.dmp