Malware Analysis Report

2024-11-30 02:43

Sample ID 240407-ve652ahc4s
Target e568985688cde6ece09927298a84ec01_JaffaCakes118
SHA256 55d263a218f2ca5c687e4b0821916a75ca9600c8eab42d3fa86020edb3b4322f
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

55d263a218f2ca5c687e4b0821916a75ca9600c8eab42d3fa86020edb3b4322f

Threat Level: Shows suspicious behavior

The file e568985688cde6ece09927298a84ec01_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 16:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 16:55

Reported

2024-04-07 16:57

Platform

win7-20240220-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2l2eyr2uGf8gCTu.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2l2eyr2uGf8gCTu.exe

C:\Users\Admin\AppData\Local\Temp\2l2eyr2uGf8gCTu.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2156-0-0x0000000000A10000-0x0000000000A27000-memory.dmp

\Users\Admin\AppData\Local\Temp\2l2eyr2uGf8gCTu.exe

MD5 3f461ca3e3d9da036cf1a4a06ddf4fb4
SHA1 15395e4b656cee3a708bc50c1094e3fa0c46802e
SHA256 cd8e84c1f8d1ee3a7014343e3fb236329d2b67c1ec233ea4b208d99e3f95105b
SHA512 d0cb3f56db648c9ee151990260a864cdcd0d508a1dafcd741d8b2ccd8f73ba29607f384a4e2752502419cfd4a41d2288d7c3ffec93925be85fc39dad9c01e7f5

memory/2156-15-0x0000000000A10000-0x0000000000A27000-memory.dmp

memory/2608-20-0x00000000012B0000-0x00000000012C7000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/2156-16-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/2156-11-0x00000000000E0000-0x00000000000F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 16:55

Reported

2024-04-07 16:57

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKbabzrEvS3xy2s.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e568985688cde6ece09927298a84ec01_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\AKbabzrEvS3xy2s.exe

C:\Users\Admin\AppData\Local\Temp\AKbabzrEvS3xy2s.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp

Files

memory/2180-0-0x0000000000F20000-0x0000000000F37000-memory.dmp

memory/2180-9-0x0000000000F20000-0x0000000000F37000-memory.dmp

memory/4436-10-0x0000000000AC0000-0x0000000000AD7000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

C:\Users\Admin\AppData\Local\Temp\AKbabzrEvS3xy2s.exe

MD5 3f461ca3e3d9da036cf1a4a06ddf4fb4
SHA1 15395e4b656cee3a708bc50c1094e3fa0c46802e
SHA256 cd8e84c1f8d1ee3a7014343e3fb236329d2b67c1ec233ea4b208d99e3f95105b
SHA512 d0cb3f56db648c9ee151990260a864cdcd0d508a1dafcd741d8b2ccd8f73ba29607f384a4e2752502419cfd4a41d2288d7c3ffec93925be85fc39dad9c01e7f5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 b98734f6b5c3de9d7abbf11f6848c3db
SHA1 023733998a2892bae82f2b98f5a51f87eaa883f6
SHA256 078fa287ce258c877cea39d24ed156e8195a242a98646ae47bfe8b50cf5f2283
SHA512 81d3823cc13e1205b2d295cdec1470e91c36efd45cc58a1ef5f9435ddf424a3974918fb6a61e3ef8c1fca712213b5f386d8ff8280b97277bd675357c09471b12