Analysis Overview
SHA256
0a0cd3ecbbc8ab5fc71c8f797dafade5fa56390a87ccf5ba99bcfce2d85ff171
Threat Level: Shows suspicious behavior
The file e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:03
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:03
Reported
2024-04-06 22:05
Platform
win7-20240220-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2792 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2792 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2792 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2792 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2792-0-0x0000000001160000-0x0000000001177000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 5efd390d5f95c8191f5ac33c4db4b143 |
| SHA1 | 42d81b118815361daa3007f1a40f1576e9a9e0bc |
| SHA256 | 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74 |
| SHA512 | 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d |
memory/2792-11-0x0000000000E80000-0x0000000000E97000-memory.dmp
memory/2492-12-0x0000000000E80000-0x0000000000E97000-memory.dmp
memory/2792-8-0x0000000001160000-0x0000000001177000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GCbXxZFC82bcbjD.exe
| MD5 | 4e2feac4500e19e44c93e878d01089c4 |
| SHA1 | 0d2c7d9542f1d55aaa3708993e2f8ed31b40f764 |
| SHA256 | 7b1544c39e9dc3cbac2a74ad780b143363f93e6108655df8259ef0995553b520 |
| SHA512 | bc5181389ff1e60afb96d8a15243238fbb9e7a8e4ab64f62f72c3555d36b7cffdd33e0ec757ad5912e7adaae1af5f5fa70b62d4541c41bbb97d4696d38109dda |
memory/2792-19-0x0000000000E80000-0x0000000000E97000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:03
Reported
2024-04-06 22:05
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5084 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 5084 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 5084 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e362e278593b9c040674c4cf3fb48d3c_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
Files
memory/5084-0-0x0000000000C50000-0x0000000000C67000-memory.dmp
memory/5084-8-0x0000000000C50000-0x0000000000C67000-memory.dmp
memory/1144-7-0x0000000000830000-0x0000000000847000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 5efd390d5f95c8191f5ac33c4db4b143 |
| SHA1 | 42d81b118815361daa3007f1a40f1576e9a9e0bc |
| SHA256 | 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74 |
| SHA512 | 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 869a2b6068aff615da1bd23d00c3642e |
| SHA1 | f1ff41e8d0afe2723040e7ff53f3b4af53251adf |
| SHA256 | 1995f0235e8aadf1fa2a4db0ea04a55554c6e7d5bd49ad92636400708dc63a1a |
| SHA512 | 0ca4fa80140b14748c70e7de6b18bdaeeb1639e7a47fe804257d75260c78aed8025b45ad06c7c7541876cdee403dd606ccccab0a892b38f54c6f5b08a157ed64 |
C:\Users\Admin\AppData\Local\Temp\QD0bhhw1dMoVqkx.exe
| MD5 | b641199bac041fe6ab5526bdf34119a2 |
| SHA1 | ab6ae04f6853bc7a40bb01ee8bb683f78baf923e |
| SHA256 | b683030b391461fff4d0d4888dc2855bc50992254328989d7bcedeafe1d3234b |
| SHA512 | 39ac77565efb9be0aed4e6884e0dc334d51664212fa36a4722a015cf968f812eb1d751ff4e4873a600fd4e20e299b212a45e4ead9338d1fccd999925005068d9 |
memory/1144-33-0x0000000000830000-0x0000000000847000-memory.dmp