Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-1z2zpsda73
Target e3640424307b7602740de650e7939600_JaffaCakes118
SHA256 ebca2af4f09d7b61fc7d161c6ada685050481f36ccd08fdd2c02fc85f384fac0
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ebca2af4f09d7b61fc7d161c6ada685050481f36ccd08fdd2c02fc85f384fac0

Threat Level: Shows suspicious behavior

The file e3640424307b7602740de650e7939600_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:06

Reported

2024-04-06 22:08

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a11DllMGASygyOz.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a11DllMGASygyOz.exe

C:\Users\Admin\AppData\Local\Temp\a11DllMGASygyOz.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp

Files

memory/2376-0-0x0000000000340000-0x0000000000357000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a11DllMGASygyOz.exe

MD5 2124a793ac7d675e1b2d5fdee19a87d0
SHA1 3a1a6ae7c218e41c4eb303c548db9ec06bd6a6b5
SHA256 1aa3927c7985386d42759656665c7b422ee226df16a19446af6d9a6613b8ae9b
SHA512 d5b7b789108c00901e96a3f336c2176a6e7f50e73cb485974e8bb7af1b513b099e88eb6800ed1f0c53969a86a6870130a477c9b17cad0e00f9de4ac90252e051

memory/2376-8-0x0000000000340000-0x0000000000357000-memory.dmp

C:\Windows\CTS.exe

MD5 93e5f18caebd8d4a2c893e40e5f38232
SHA1 fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256 a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

memory/4728-10-0x0000000000C60000-0x0000000000C77000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 9d2c84cda8fb29aea8d63175e6ad5767
SHA1 344e06084f3f0b8e1446851c70d8054e00c02302
SHA256 c599cbca6fd9e63908876d06ba79e8b9307ccfd49a380142cc85a2e2b4bd1c7b
SHA512 5687cde00e8bcefa46635a3c928c539abcd07a397670f3b4f2ad5f679a51f6a82f2dd8cb8ac65f8cba8f49b6be3cd2753844dc4bdc59535fea5dcf71e6f95d02

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:06

Reported

2024-04-06 22:08

Platform

win7-20240221-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBRd375adSIM7sR.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3640424307b7602740de650e7939600_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\VBRd375adSIM7sR.exe

C:\Users\Admin\AppData\Local\Temp\VBRd375adSIM7sR.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2148-1-0x00000000002F0000-0x0000000000307000-memory.dmp

\Users\Admin\AppData\Local\Temp\VBRd375adSIM7sR.exe

MD5 2124a793ac7d675e1b2d5fdee19a87d0
SHA1 3a1a6ae7c218e41c4eb303c548db9ec06bd6a6b5
SHA256 1aa3927c7985386d42759656665c7b422ee226df16a19446af6d9a6613b8ae9b
SHA512 d5b7b789108c00901e96a3f336c2176a6e7f50e73cb485974e8bb7af1b513b099e88eb6800ed1f0c53969a86a6870130a477c9b17cad0e00f9de4ac90252e051

memory/2148-13-0x0000000000130000-0x0000000000147000-memory.dmp

memory/2148-11-0x00000000002F0000-0x0000000000307000-memory.dmp

C:\Windows\CTS.exe

MD5 93e5f18caebd8d4a2c893e40e5f38232
SHA1 fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256 a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

memory/324-16-0x00000000000B0000-0x00000000000C7000-memory.dmp

memory/2148-21-0x0000000000130000-0x0000000000147000-memory.dmp