Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-3pd61aed7s
Target e39083f597818cfb8854ea073c60ed80_JaffaCakes118
SHA256 a5ee5b2c038b987e9f3f78fd8061b9722177aae1aa34eb1e66d6e574450b8174
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a5ee5b2c038b987e9f3f78fd8061b9722177aae1aa34eb1e66d6e574450b8174

Threat Level: Shows suspicious behavior

The file e39083f597818cfb8854ea073c60ed80_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:41

Reported

2024-04-06 23:43

Platform

win7-20240221-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2524-1-0x0000000001110000-0x0000000001127000-memory.dmp

memory/2524-8-0x0000000001110000-0x0000000001127000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/2524-11-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/1304-12-0x0000000000950000-0x0000000000967000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dVHNWLwlBSRaC9F.exe

MD5 5ae00aca4c6f3ff942d634fcb0faec00
SHA1 5e8f063541457e8b25a543a867675824419aaff9
SHA256 ff931cd2b623a69869e266c5f2c3e348743f65b10895d931ae930382a63c1349
SHA512 6cb433e6fb43207c605c430ef0b0e228ce097273c144513e37062652987f5ac49f6a0fba73011da9c1366bac2c56ae66dbbc07528a3592cb80a7dd5d926a0883

memory/2524-19-0x00000000000E0000-0x00000000000F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:41

Reported

2024-04-06 23:43

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e39083f597818cfb8854ea073c60ed80_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/2292-0-0x00000000009D0000-0x00000000009E7000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/2292-7-0x00000000009D0000-0x00000000009E7000-memory.dmp

memory/1888-9-0x00000000007F0000-0x0000000000807000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 e5977b3a07f7ccaecd128061a0ee704b
SHA1 1cb104687e11a5f93c315ecbb01d4eb20b11f217
SHA256 e80cd780d87e66d28dc2f353632f1049cbad730d6658300d4615f1b03709a39a
SHA512 147e64bce944ad3fc959e9b2e1f9cd3fb22f69d8b55293593ee877687cc3e2b33d3d39d77761af3e50d0a1cb3b11dd1cad4c8d72239acb765bf2f3057a98837e

C:\Users\Admin\AppData\Local\Temp\wZBDFxxZF3Zk2ls.exe

MD5 1094c0b2fd987876e39b5e91e508aedf
SHA1 d99de7dca20ccfd8ad6f9bfaab1ded044231cc65
SHA256 1f8238bb7c33e6930d5de67c2c10488ea00e3bd4f7492907fbe9dadcbafaf94c
SHA512 a8006e3a156c914ac07446d04c54a778859522521f009f559d48a5caeda31942c503e93349f4f76a2ee18ab6203f111ddf62bfa64d8f08acae5ad1beb39f2cb5