79fe90ff4ac1f24d4f0305d1f31adcb2cb276d1b6a6260e547a8e7ec81c104e5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
Size

88KB
MD5

e254e285f1729936cf9e30e1c098271c
SHA1

653cf3782b7b9129a98c6fbad8cf885fe0bde227
SHA256

79fe90ff4ac1f24d4f0305d1f31adcb2cb276d1b6a6260e547a8e7ec81c104e5
SHA512

1f3c5de3148a3b6b9dbc9fa49fd2591670bc08a18563c59c1cf8361eef65bd5293267d6bd58a6b1b52819f1938af52c74a103eeaa1055117729dae9ad25fcc03
SSDEEP

1536:scNjQlsWjcdiTuXbELbGn82i+beo/47Og:vjr5ELbGnzi+ao/Cf

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2628	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/724-0-0x0000000000B00000-0x0000000000B19000-memory.dmp	upx
behavioral2/files/0x00080000000231fa-6.dat	upx
behavioral2/memory/724-7-0x0000000000B00000-0x0000000000B19000-memory.dmp	upx
behavioral2/memory/2628-9-0x0000000000550000-0x0000000000569000-memory.dmp	upx
behavioral2/files/0x000600000002275d-12.dat	upx
behavioral2/files/0x00090000000231f7-29.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	724	e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
Token: SeDebugPrivilege	2628	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 2628	724	e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe	85
PID 724 wrote to memory of 2628	724	e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe	85
PID 724 wrote to memory of 2628	724	e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
404KB

MD5
3dc15cafe67496a5bf7b9d1b3340b051

SHA1
242753618529d89037ea6bd7fbd96f6eb37b1e13

SHA256
69f6f44f5ff2377d2be5814c0d19e0885b051f06b24ee48c60c5534096f96926

SHA512
757f64b151ade44eda5a41de190707411b2109a088397a5874e8564b3eab01d9037805798e5baf3e99922d2212f9bc7302c2c5832a1a5a9cfe42dcc84e3141ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjvIHBWPk5Entd5.exe

Filesize
88KB

MD5
2fea75cc31557ee2e4f21dc654e4af18

SHA1
be36241c2b56eaefb3b3ee45ebf2d5821038d95c

SHA256
e08b0b8937b45ce050f78174b01d550a65701d1c94126b672b5ab0b660014094

SHA512
73a5cebdeba8a58949994228d08709d1277059f8ca3cc1a7b2cd6b9cb4fcaf50b240a5b7ad8c4ad33ce54ab8916c948f60aee81a4b1bd074d40e880e948d9689

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
796f4df6e89c638054b20b09ba1f28e5

SHA1
80e5f4e74a798f180f27f9b3dccb3c7461511d7d

SHA256
3293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402

SHA512
687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887

Download Submit
memory/724-0-0x0000000000B00000-0x0000000000B19000-memory.dmp

Filesize
100KB

Download
memory/724-7-0x0000000000B00000-0x0000000000B19000-memory.dmp

Filesize
100KB

Download
memory/2628-9-0x0000000000550000-0x0000000000569000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads