Malware Analysis Report

2024-11-30 02:39

Sample ID 240407-v3nnlahh3v
Target e579b01fb68a98b3343be6842595e2a7_JaffaCakes118
SHA256 5090357e800563f2a4bb6407ebb428bc12ea999fa35633adaa3c88d156fb2060
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5090357e800563f2a4bb6407ebb428bc12ea999fa35633adaa3c88d156fb2060

Threat Level: Shows suspicious behavior

The file e579b01fb68a98b3343be6842595e2a7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:31

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:31

Reported

2024-04-07 17:33

Platform

win7-20240215-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe

C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2876-0-0x0000000000B40000-0x0000000000B57000-memory.dmp

\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe

MD5 f310d4e936b68a5d76b7b808507e99f9
SHA1 6dccf493508f97212688413bec28f86befbff8e2
SHA256 58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60
SHA512 daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/2504-15-0x00000000012A0000-0x00000000012B7000-memory.dmp

memory/2876-13-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/2876-11-0x0000000000B40000-0x0000000000B57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe

MD5 a88dea435e60dff7dde4ae4540abf44f
SHA1 49f0041b489da9fc7060368b70281243830fbf0d
SHA256 de104878e6dba4a74745d2c7fc714860e54c41665c9342daa4981acf4beb03cc
SHA512 ee8f04e31d6f316edc838ded1015eb73dc2e578d3f1a0c5a481fbe0976d94b66d0d8b9c0668499db4c30b058df922edb473e746a5808a45dee4845356c96d350

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:31

Reported

2024-04-07 17:33

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe

C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/3952-0-0x0000000000CA0000-0x0000000000CB7000-memory.dmp

C:\Windows\CTS.exe

MD5 5efd390d5f95c8191f5ac33c4db4b143
SHA1 42d81b118815361daa3007f1a40f1576e9a9e0bc
SHA256 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74
SHA512 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

memory/3952-7-0x0000000000CA0000-0x0000000000CB7000-memory.dmp

memory/3620-9-0x0000000000FB0000-0x0000000000FC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe

MD5 f310d4e936b68a5d76b7b808507e99f9
SHA1 6dccf493508f97212688413bec28f86befbff8e2
SHA256 58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60
SHA512 daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 e190fccd9c888ecf7a9b07d46594844c
SHA1 2aa844fef724116c0bbaa2814af8cfb46f59886a
SHA256 5a91167c1ffba231b40ad41fb076aba7690e8cd15ee3bc8bf083c94d80b97c91
SHA512 fefa8e5fddc2dd143cad7d2846d9756f81e60d24dcc53a2af468d19489b041ba08f1c304b000c3953301a4d532ab4219d95be9e862f926e420b156768a222755

C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe

MD5 7d1e401eca3e317e6a61dd0c767ca4e8
SHA1 874ec867266a89a34939c0ae9fb749dbc54fe8c4
SHA256 a8e1bfc490bb01478bbb8bbf093e08d792bfe369bf0fd97b30eed06d6135da73
SHA512 d2f99ab1991f56f960bceaf1935ddc39474518ec04eec5009f5ec47124a1a2d44c079cddd3c6d2a10fb038cc0958c7f4528648f78c8b56baf9b8e42feb2eda6a