Malware Analysis Report

2024-11-30 02:45

Sample ID 240407-vtnbgahf4v
Target e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118
SHA256 525b825ce0609297d21dc70c1f0886bb6876c2368ce04348aac1e39ecd161d17
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

525b825ce0609297d21dc70c1f0886bb6876c2368ce04348aac1e39ecd161d17

Threat Level: Shows suspicious behavior

The file e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:19

Platform

win7-20240220-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1656-0-0x0000000000A60000-0x0000000000A77000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1724-12-0x0000000000230000-0x0000000000247000-memory.dmp

memory/1656-9-0x0000000000070000-0x0000000000087000-memory.dmp

memory/1656-8-0x0000000000A60000-0x0000000000A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VJRGTpgQ95r30W8.exe

MD5 4ace9a6330e8d28a472adfcebb65cb45
SHA1 eaac87bd1159ea0a64e71d16436f524ae2c4de77
SHA256 67c51e0fa4da2abb4e6d26b039a1d56fc9f6e9fa7cde7f051e5c2648caaa09cb
SHA512 57f0a7bef30d8edf4c31210adfe66c89bb5c13ed4b484923cb846daa5b4a1b3e0e440bd44d5dc9cd4c38d045cfc6ae3ecd1a7b65d413e6b28e2a13d1968c14a3

memory/1656-18-0x0000000000070000-0x0000000000087000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:19

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e572e8ba020ed9dfe9c846cdf0ab6338_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/1348-0-0x0000000000A10000-0x0000000000A27000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1348-9-0x0000000000A10000-0x0000000000A27000-memory.dmp

memory/4120-7-0x0000000000EA0000-0x0000000000EB7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 076334d59338ed2cb590fd14c4cae8a7
SHA1 10e227a419ed9b4fe150151d4837afcd779cc466
SHA256 0454790a2716ec22ecba2bb9c782a955d0c5e572306179605385d4e3a1070102
SHA512 3f23a771fd02248132bdb5b6c50124e4bbeaa75a27add21229193c7295fedf8eec427abddd32b844e87c3e283d9ebc6ea6ca73232ab4dbb42002f32b0931eb27

C:\Users\Admin\AppData\Local\Temp\oekzsBypckYVE9L.exe

MD5 2f24aac91556f8d8a1f8fa6d513622dc
SHA1 ca29b87355efcc3b84baa33021553055eb0d7b93
SHA256 f2d6861709482f0653235ea764f848b03b5f7d7f7a8d7a0cc05b026c455b6999
SHA512 8e1968a685beda1a4905364131a054bf7b3fddeccbdfdc9b43981d6b8a3a84bb20887d363805942e29ee717394a7d3c3dd99b6b9a739e9ce9ecf234b2e910570

memory/4120-32-0x0000000000EA0000-0x0000000000EB7000-memory.dmp