Malware Analysis Report

2024-11-30 02:42

Sample ID 240407-vagpkshb2v
Target e564256b00733c6701b471ca83b05255_JaffaCakes118
SHA256 d64302c882d541229f5c3a87ea83043b6aa9187af3142863a09891cfb07ca2a7
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d64302c882d541229f5c3a87ea83043b6aa9187af3142863a09891cfb07ca2a7

Threat Level: Shows suspicious behavior

The file e564256b00733c6701b471ca83b05255_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 16:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 16:46

Reported

2024-04-07 16:49

Platform

win7-20240221-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1756-0-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/1756-8-0x00000000002F0000-0x0000000000307000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1196-12-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

memory/1756-11-0x00000000000E0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qdUwAQL9FSKNaGz.exe

MD5 88ca0ff5f25c9901a0af97fdc148f758
SHA1 f9299f7c62585a560ce450e3fd2f5ee6804d741d
SHA256 472be8e539b69b041b1c760751cb7cc24d2a520b6598f2369bcc522eeac993bf
SHA512 6420263fa1a1d8756ae0ba0581983269bf5299270328c7ab0e026ff8e5def29b528cbe7be89958b2abbcc6b9b09a24297c7ef931cbd1f1ae6e21f40f4db5a20d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 16:46

Reported

2024-04-07 16:49

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e564256b00733c6701b471ca83b05255_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/4156-0-0x0000000000160000-0x0000000000177000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4192-7-0x0000000000D40000-0x0000000000D57000-memory.dmp

memory/4156-9-0x0000000000160000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 6006f77d38cf864a405cedad16d93c7a
SHA1 0cf6108dade10545a64e15ab38c3002ac9c65c39
SHA256 5b5a9b4579f5535b81931adaa94cf6be8fea00878a20b9b3a2fc5855432b158d
SHA512 67c60df516cd212e3f6d77d61e2b5fe87ea6da641366bc1272932d4cb3cafadd1d5b594ebd7f1b0be488fe7557dd2876fa9cc41865535af94c7eda69e1308049

C:\Users\Admin\AppData\Local\Temp\3FnUw3QAWnxriZn.exe

MD5 fe10d967502673b5be31dea4da1a6cf3
SHA1 679da05ca6db58040c94f4694553929ce39d2628
SHA256 3284533f79184d171aa5674e5a66abd640796407ca367e8bea0fb3020c775b24
SHA512 a0ea2bb4c578516556ea4796cf87b8f75e5b9ccf803893d1e59e59b74c236928520b8cd944a67a97a98d8fc61fb25f24d4fea703a511250d69d2a570670e748c

memory/4192-31-0x0000000000D40000-0x0000000000D57000-memory.dmp