Analysis Overview
SHA256
5090357e800563f2a4bb6407ebb428bc12ea999fa35633adaa3c88d156fb2060
Threat Level: Shows suspicious behavior
The file e579b01fb68a98b3343be6842595e2a7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:31
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:31
Reported
2024-04-07 17:33
Platform
win7-20240215-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2876 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2876 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2876 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe
C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2876-0-0x0000000000B40000-0x0000000000B57000-memory.dmp
\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe
| MD5 | f310d4e936b68a5d76b7b808507e99f9 |
| SHA1 | 6dccf493508f97212688413bec28f86befbff8e2 |
| SHA256 | 58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60 |
| SHA512 | daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d |
C:\Windows\CTS.exe
| MD5 | 5efd390d5f95c8191f5ac33c4db4b143 |
| SHA1 | 42d81b118815361daa3007f1a40f1576e9a9e0bc |
| SHA256 | 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74 |
| SHA512 | 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d |
memory/2504-15-0x00000000012A0000-0x00000000012B7000-memory.dmp
memory/2876-13-0x00000000000E0000-0x00000000000F7000-memory.dmp
memory/2876-11-0x0000000000B40000-0x0000000000B57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h7NXRQjk9BgZZ1N.exe
| MD5 | a88dea435e60dff7dde4ae4540abf44f |
| SHA1 | 49f0041b489da9fc7060368b70281243830fbf0d |
| SHA256 | de104878e6dba4a74745d2c7fc714860e54c41665c9342daa4981acf4beb03cc |
| SHA512 | ee8f04e31d6f316edc838ded1015eb73dc2e578d3f1a0c5a481fbe0976d94b66d0d8b9c0668499db4c30b058df922edb473e746a5808a45dee4845356c96d350 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:31
Reported
2024-04-07 17:33
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3952 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 3952 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 3952 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e579b01fb68a98b3343be6842595e2a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe
C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
memory/3952-0-0x0000000000CA0000-0x0000000000CB7000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 5efd390d5f95c8191f5ac33c4db4b143 |
| SHA1 | 42d81b118815361daa3007f1a40f1576e9a9e0bc |
| SHA256 | 6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74 |
| SHA512 | 720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d |
memory/3952-7-0x0000000000CA0000-0x0000000000CB7000-memory.dmp
memory/3620-9-0x0000000000FB0000-0x0000000000FC7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe
| MD5 | f310d4e936b68a5d76b7b808507e99f9 |
| SHA1 | 6dccf493508f97212688413bec28f86befbff8e2 |
| SHA256 | 58b7e175725ddf68a7a6c891889daaa3b7d4f90c14bfcff287cb3336cbd7da60 |
| SHA512 | daead56dfdd7b4a7a8fabdc6e12144273aae244aa90817d76281e5a7414e3f07ca2761f481bda91a47fc3c1c911ff1783e7421e566e3b3fc59b443de141d9e5d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | e190fccd9c888ecf7a9b07d46594844c |
| SHA1 | 2aa844fef724116c0bbaa2814af8cfb46f59886a |
| SHA256 | 5a91167c1ffba231b40ad41fb076aba7690e8cd15ee3bc8bf083c94d80b97c91 |
| SHA512 | fefa8e5fddc2dd143cad7d2846d9756f81e60d24dcc53a2af468d19489b041ba08f1c304b000c3953301a4d532ab4219d95be9e862f926e420b156768a222755 |
C:\Users\Admin\AppData\Local\Temp\ii5iRx3bKihfO8v.exe
| MD5 | 7d1e401eca3e317e6a61dd0c767ca4e8 |
| SHA1 | 874ec867266a89a34939c0ae9fb749dbc54fe8c4 |
| SHA256 | a8e1bfc490bb01478bbb8bbf093e08d792bfe369bf0fd97b30eed06d6135da73 |
| SHA512 | d2f99ab1991f56f960bceaf1935ddc39474518ec04eec5009f5ec47124a1a2d44c079cddd3c6d2a10fb038cc0958c7f4528648f78c8b56baf9b8e42feb2eda6a |