Malware Analysis Report

2024-11-30 02:37

Sample ID 240407-wd4tysab7y
Target e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118
SHA256 a7a2b6b238150db57c8c5bdba1e45ff62e39ce00cc755191b655db0effe56630
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a7a2b6b238150db57c8c5bdba1e45ff62e39ce00cc755191b655db0effe56630

Threat Level: Shows suspicious behavior

The file e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:49

Reported

2024-04-07 17:51

Platform

win7-20240221-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UIIeaVCco7tI7iW.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\UIIeaVCco7tI7iW.exe

C:\Users\Admin\AppData\Local\Temp\UIIeaVCco7tI7iW.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1460-0-0x0000000000830000-0x0000000000847000-memory.dmp

\Users\Admin\AppData\Local\Temp\UIIeaVCco7tI7iW.exe

MD5 ae6ce17005c63b7e9bf15a2a21abb315
SHA1 9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb
SHA256 4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e
SHA512 c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1460-15-0x0000000000830000-0x0000000000847000-memory.dmp

memory/636-18-0x0000000000CC0000-0x0000000000CD7000-memory.dmp

memory/1460-11-0x0000000000070000-0x0000000000087000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:49

Reported

2024-04-07 17:52

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lYcuCAIemOKQb6b.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e581ce7b8b16656bf455ca40da5c1356_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\lYcuCAIemOKQb6b.exe

C:\Users\Admin\AppData\Local\Temp\lYcuCAIemOKQb6b.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/4456-0-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lYcuCAIemOKQb6b.exe

MD5 ae6ce17005c63b7e9bf15a2a21abb315
SHA1 9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb
SHA256 4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e
SHA512 c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4456-9-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

memory/1612-8-0x0000000000420000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 b683bf974923beefbac4e64ee5a7aebd
SHA1 662203899967e60960502464938a7de06f96c9b3
SHA256 31eb51fec0c298791c0447cb4d09378b2583d205837f6bc3201864167543a5f5
SHA512 58c71b5cadbe0bc2ca31cafb158f4428ee4b69866a0ddad3c195168f23c5879ad7eb32086591dcc226b319f91c6deeba7292db22f4ff04a143d09c75f8b33c32

memory/1612-31-0x0000000000420000-0x0000000000437000-memory.dmp