Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 16:55
Behavioral task
behavioral1
Sample
e568985688cde6ece09927298a84ec01_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e568985688cde6ece09927298a84ec01_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e568985688cde6ece09927298a84ec01_JaffaCakes118.exe
-
Size
477KB
-
MD5
e568985688cde6ece09927298a84ec01
-
SHA1
10213f029178c06e68ea97f29d9dc4d37841c012
-
SHA256
55d263a218f2ca5c687e4b0821916a75ca9600c8eab42d3fa86020edb3b4322f
-
SHA512
1f12821ed7e66ea9c95a7b8d7532cfe3586710c5fa23e5d3e0ffec61f45d691d506f15cc7991ef6fc846d66c683e149f3178c22a4701ff6c3d677476166087c3
-
SSDEEP
12288:h2LlVelDMjEZ6AhhAOfJ06eoajalEunBAu4m:h2LlVCDMjtHAJ061QI2uh
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
2l2eyr2uGf8gCTu.exeCTS.exepid Process 2828 2l2eyr2uGf8gCTu.exe 2608 CTS.exe -
Loads dropped DLL 2 IoCs
Processes:
e568985688cde6ece09927298a84ec01_JaffaCakes118.exepid Process 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2156-0-0x0000000000A10000-0x0000000000A27000-memory.dmp upx behavioral1/memory/2156-15-0x0000000000A10000-0x0000000000A27000-memory.dmp upx behavioral1/memory/2608-20-0x00000000012B0000-0x00000000012C7000-memory.dmp upx behavioral1/files/0x000c00000001225d-18.dat upx behavioral1/memory/2156-11-0x00000000000E0000-0x00000000000F7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e568985688cde6ece09927298a84ec01_JaffaCakes118.exeCTS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" e568985688cde6ece09927298a84ec01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exee568985688cde6ece09927298a84ec01_JaffaCakes118.exedescription ioc Process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe e568985688cde6ece09927298a84ec01_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e568985688cde6ece09927298a84ec01_JaffaCakes118.exeCTS.exedescription pid Process Token: SeDebugPrivilege 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe Token: SeDebugPrivilege 2608 CTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e568985688cde6ece09927298a84ec01_JaffaCakes118.exedescription pid Process procid_target PID 2156 wrote to memory of 2828 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 28 PID 2156 wrote to memory of 2828 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 28 PID 2156 wrote to memory of 2828 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 28 PID 2156 wrote to memory of 2828 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 28 PID 2156 wrote to memory of 2608 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2608 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2608 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 29 PID 2156 wrote to memory of 2608 2156 e568985688cde6ece09927298a84ec01_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\2l2eyr2uGf8gCTu.exeC:\Users\Admin\AppData\Local\Temp\2l2eyr2uGf8gCTu.exe2⤵
- Executes dropped EXE
PID:2828
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5
-
Filesize
447KB
MD53f461ca3e3d9da036cf1a4a06ddf4fb4
SHA115395e4b656cee3a708bc50c1094e3fa0c46802e
SHA256cd8e84c1f8d1ee3a7014343e3fb236329d2b67c1ec233ea4b208d99e3f95105b
SHA512d0cb3f56db648c9ee151990260a864cdcd0d508a1dafcd741d8b2ccd8f73ba29607f384a4e2752502419cfd4a41d2288d7c3ffec93925be85fc39dad9c01e7f5