Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3nvglaab94
Target e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118
SHA256 b2f85382735465316389d8684ce99cc8e922e3746ac555b5c97743e7f21446d2
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b2f85382735465316389d8684ce99cc8e922e3746ac555b5c97743e7f21446d2

Threat Level: Shows suspicious behavior

The file e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:40

Reported

2024-04-07 23:42

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3816-0-0x0000000000550000-0x0000000000567000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4984-7-0x0000000000B70000-0x0000000000B87000-memory.dmp

memory/3816-9-0x0000000000550000-0x0000000000567000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 632f7fae0f6c464b97a52ca19d61cfcd
SHA1 086745bb53182f399a2949e60ee28314bd9c2b3c
SHA256 e784f397ee00c4766e919e0f9d481e3bccb216a32758e16d9564cc2d8d2e59e8
SHA512 9178933be47bb63ef36335c31bd97be4f6eb4fe8167a495c469211ca3f5348774e776193116623f5ab67d5f2ae36b37c25eb28fb663aaabac560fabfa887d6c2

C:\Users\Admin\AppData\Local\Temp\enAiZ17QQd0AmP4.exe

MD5 21f177fa6d04e95f00bdcd2587796cfc
SHA1 bd92414af8ff38222238cba1a0db03abaa3638ba
SHA256 dc58cf041e82aa033ee6c32fea7f11ace73d3a36fa0e80a8e6c4f896e574ac5e
SHA512 07e6cf047150236670c44c0e8206349d404b44e3f36175a4c25cffcf78c698df335479b8132b204b0a7375df4a26992d09d025245ccf8ccf0e7ce46c92f8ab51

memory/4984-31-0x0000000000B70000-0x0000000000B87000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:40

Reported

2024-04-07 23:42

Platform

win7-20240221-en

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e621fbd0c6b41ecd47d1df908bf64b6f_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2856-1-0x00000000012B0000-0x00000000012C7000-memory.dmp

memory/2856-8-0x00000000012B0000-0x00000000012C7000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1456-12-0x0000000000350000-0x0000000000367000-memory.dmp

memory/2856-9-0x0000000000350000-0x0000000000367000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yOo4nOHhlmtdaL0.exe

MD5 3f83c1e6595d86649cc5b4f696c920fe
SHA1 56ae96c66982dded3a66b20692d1edc9072a35f1
SHA256 0247325df19fb404a28585b2afbd27145d72b826a7e8fab1dcb1f77d90bfa107
SHA512 d9fca3aafe6cdd6a387fdce847a76e656a82bd48d88e132273dbf42250f1b9088fe340ad3309e29e5049d179c0161e79b34ba7db7184556f114a461734558d19