Malware Analysis Report

2024-11-30 02:37

Sample ID 240407-vypp4ahg2z
Target e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118
SHA256 130d728017ef29277b90456d97162296fdd0be4fe384464d1cfcfbf673e5be78
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

130d728017ef29277b90456d97162296fdd0be4fe384464d1cfcfbf673e5be78

Threat Level: Shows suspicious behavior

The file e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:24

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:24

Reported

2024-04-07 17:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XXBFNT~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe

C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1936-1-0x0000000001020000-0x0000000001039000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xXbFNTGRaJBr1dV.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

memory/2116-16-0x0000000000190000-0x00000000001A9000-memory.dmp

C:\Windows\CTS.exe

MD5 796f4df6e89c638054b20b09ba1f28e5
SHA1 80e5f4e74a798f180f27f9b3dccb3c7461511d7d
SHA256 3293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402
SHA512 687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887

memory/1936-13-0x0000000001020000-0x0000000001039000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:24

Reported

2024-04-07 17:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4VFSNS~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5766fa8f2f68eb5e00257f0606de710_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe

C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/4976-0-0x0000000000920000-0x0000000000939000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4VFsnsgR98oR8rP.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

memory/4976-10-0x0000000000920000-0x0000000000939000-memory.dmp

memory/4544-9-0x0000000000D40000-0x0000000000D59000-memory.dmp

C:\Windows\CTS.exe

MD5 796f4df6e89c638054b20b09ba1f28e5
SHA1 80e5f4e74a798f180f27f9b3dccb3c7461511d7d
SHA256 3293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402
SHA512 687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a8ca95e6092c0c56683258d73a30cbfb
SHA1 676a4d2d4946570a96d419e0aa6a755dee8e80e7
SHA256 a327bc290e6d57703ab3dea60fe89e29897c5be7ecaa8ed128818614b4869f54
SHA512 474b7b1ffd683e60e083a489932587a869e6e8889fc5c418175f7a76364faf1734ac89c18366bbe13ce10eb3e5a1f4067af243727f450710b4b2457a2a5e37ba