Malware Analysis Report

2024-11-30 02:42

Sample ID 240407-vgdaqshf44
Target e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118
SHA256 6a3526912bf02d1b2e4b3ba8443939b518e312422a2c171ef01d83d60e5b5b4c
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6a3526912bf02d1b2e4b3ba8443939b518e312422a2c171ef01d83d60e5b5b4c

Threat Level: Shows suspicious behavior

The file e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 16:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 16:57

Reported

2024-04-07 16:59

Platform

win7-20240215-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2156-0-0x0000000000990000-0x00000000009A7000-memory.dmp

memory/2156-9-0x0000000000990000-0x00000000009A7000-memory.dmp

memory/2156-8-0x00000000000E0000-0x00000000000F7000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/852-12-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vDUdgI4aKB9YXb7.exe

MD5 6b20c3528a9758db91ca38d26f7f5561
SHA1 73c45f604644921ad92695f8ed9aa66a04d3b7a8
SHA256 648f450a56c4904530748ac5f93e421484d394439e5976fffeaf0fc61fb7aa74
SHA512 0a896ac330d2c917a99072784a4a742979146e75983b2682f70ac79970d56ee1d61c09db9ace59893b7158de0fb4b2c2439ad0b08a29c7f86239cbba5340be6c

memory/2156-18-0x00000000000E0000-0x00000000000F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 16:57

Reported

2024-04-07 16:59

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e569af64a2ab3d63ff1318213ffaa039_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4800-0-0x00000000002A0000-0x00000000002B7000-memory.dmp

memory/4800-7-0x00000000002A0000-0x00000000002B7000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/2244-9-0x0000000000DA0000-0x0000000000DB7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 07a70dbae2d2ed5c66a4ac8af9b2a36e
SHA1 8f033be609b6b01bc09a187e77731d16981f67dd
SHA256 ecfd026421276bddd000bc9095d80ab1130a76e81cb01f07bdf5b9bc30ed3995
SHA512 b66263b81b8beaae063f2e72bf7ff22886477850d3ebf9314f60d2f9b0d02d867fdb432e83243e1f302861c12c408036fa35b60f3b5fae4dce0de3565e905bad

C:\Users\Admin\AppData\Local\Temp\TeaQki91Som9rx1.exe

MD5 e4c91599b0481d04971ae5c2bcab145c
SHA1 f30a408790d8c32e6b10e6749a581642ee0ac633
SHA256 3670db0da4ec849c90244bc0f6af4566e0fc3e68259179ae080e611ea73dae89
SHA512 327e0a662cf0b34ccce1415db109050f62f2a93a73d6bcef480b4396f540d8112ac53fb30ee9b50aa2abee60df49a1f113a895bf21dd19b9eddf9f3109bfaf1a

memory/2244-32-0x0000000000DA0000-0x0000000000DB7000-memory.dmp