Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07-04-2024 22:57

General

  • Target

    e60d29848b8f60da29efbc0efb820022_JaffaCakes118.exe

  • Size

    46KB

  • MD5

    e60d29848b8f60da29efbc0efb820022

  • SHA1

    78a45511d591deee841dcc5c9600d64a901fe232

  • SHA256

    5910523dd84c592fdf140cba6c8e0272504ef03ddbe93290a4009c1f31f18532

  • SHA512

    481e87ea058767aa55bf687dec140196a4192bcf3c8265c97583c9efba56252d024a67141bbc7e01d22aaa707c2fce77ef35003882657f537bf55e1d81c2cbd8

  • SSDEEP

    768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFevLIsQl8a1OKVhryjAL:SKcR4mjD9r823Fist+a1vOAax2j

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e60d29848b8f60da29efbc0efb820022_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e60d29848b8f60da29efbc0efb820022_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\75W8dfn4VfCrHfz.exe
      C:\Users\Admin\AppData\Local\Temp\75W8dfn4VfCrHfz.exe
      2⤵
      • Executes dropped EXE
      PID:2720
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\75W8dfn4VfCrHfz.exe

    Filesize

    46KB

    MD5

    0fb809c0a6595defa6e0bd36905751c4

    SHA1

    10645f9ffa4a02fd29100ec595ca2aa8a52de44f

    SHA256

    c0c72e7b4ef3ec29e2a9708e67b9536ec1a4eb5c45354a12a6e7788b69804f93

    SHA512

    aebb5b895cf697e3b62355fe8c7964e48954f0f5c644a03a8a2b0511109f0ee08aa63b8152a6f41b068175ed2016a8f858c5cf34bdaa6e475795511fe0e9fca9

  • C:\Windows\CTS.exe

    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

  • \Users\Admin\AppData\Local\Temp\75W8dfn4VfCrHfz.exe

    Filesize

    16KB

    MD5

    95c9a037d3b01a21275aa6cc73b122a2

    SHA1

    c19ed8afc95b91d0cc6bc075047de30eae015386

    SHA256

    1d5edcbae3258efb07cc57ba8d7cd1ebe2eb5106ef1a894b787ed2857952c523

    SHA512

    761bb76261712a597f610e3162fa1514d2f56d69d03d1b76b51c6b2a7b0c88bbd385b7dc849c6913f7d861fb3aed8551f26f640d90b621e8629abe2e4bfb6160

  • memory/2536-18-0x0000000000D60000-0x0000000000D77000-memory.dmp

    Filesize

    92KB

  • memory/2916-8-0x0000000000120000-0x0000000000137000-memory.dmp

    Filesize

    92KB

  • memory/2916-14-0x0000000000120000-0x0000000000137000-memory.dmp

    Filesize

    92KB

  • memory/2916-10-0x00000000000E0000-0x00000000000F7000-memory.dmp

    Filesize

    92KB

  • memory/2916-25-0x00000000000E0000-0x00000000000F7000-memory.dmp

    Filesize

    92KB