Analysis Overview
SHA256
22d8a5314c14ff7e05e5af65b90e1233a030e782845c4753386ba42f62c9ad40
Threat Level: Shows suspicious behavior
The file e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:13
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:15
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe
C:\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2076-0-0x0000000000180000-0x0000000000199000-memory.dmp
\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe
| MD5 | 4a895ec6c5a9df94820219ef525cf65a |
| SHA1 | 525dd15cdeec20966d61c5f0a81667cd931349cb |
| SHA256 | 949b6765d794c53656c9afc45b90d9a2cfcae6bb30444086b29225f19242217b |
| SHA512 | a830996a8aae3d25bd21283f4f19ea295d6caa31ab98d14f5bacc15fee64264170348ca03c7bd390e6107274fb91923e24f4c6a6dca09a5354ae47d4109ed611 |
memory/2076-11-0x0000000000180000-0x0000000000199000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 38e4f5afdf9e20dbbbf0dabeae60ac61 |
| SHA1 | c3088ed7d787289699b3148b33e1a8029cd2c451 |
| SHA256 | 0a8fc497cc0ed3257ca11dc16ce5b0782434ee3e873d2d8b523dbb1a3fc731af |
| SHA512 | ee65cb323ea38bdcb0bd58daccef49a2a8784682c80bcd4a7231331e642af24643a326ce7f286e4e9113220dad3ad5958ee1d9b55bc49266568fea2e11a6717f |
memory/2100-13-0x00000000000C0000-0x00000000000D9000-memory.dmp
memory/2100-18-0x00000000000C0000-0x00000000000D9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:16
Platform
win10v2004-20240319-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe |
| PID 2332 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe |
| PID 2332 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe |
| PID 2332 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2332 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2332 wrote to memory of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe
C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=2284,i,13100272738549420251,6151825632958897606,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 142.250.186.170:443 | chromewebstore.googleapis.com | tcp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | 170.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/2332-0-0x0000000000F30000-0x0000000000F49000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe
| MD5 | 4a895ec6c5a9df94820219ef525cf65a |
| SHA1 | 525dd15cdeec20966d61c5f0a81667cd931349cb |
| SHA256 | 949b6765d794c53656c9afc45b90d9a2cfcae6bb30444086b29225f19242217b |
| SHA512 | a830996a8aae3d25bd21283f4f19ea295d6caa31ab98d14f5bacc15fee64264170348ca03c7bd390e6107274fb91923e24f4c6a6dca09a5354ae47d4109ed611 |
C:\Windows\CTS.exe
| MD5 | 38e4f5afdf9e20dbbbf0dabeae60ac61 |
| SHA1 | c3088ed7d787289699b3148b33e1a8029cd2c451 |
| SHA256 | 0a8fc497cc0ed3257ca11dc16ce5b0782434ee3e873d2d8b523dbb1a3fc731af |
| SHA512 | ee65cb323ea38bdcb0bd58daccef49a2a8784682c80bcd4a7231331e642af24643a326ce7f286e4e9113220dad3ad5958ee1d9b55bc49266568fea2e11a6717f |
memory/2332-9-0x0000000000F30000-0x0000000000F49000-memory.dmp
memory/2664-10-0x0000000000D10000-0x0000000000D29000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 4a177ba2aedb654220c9b49ef35e8390 |
| SHA1 | a41f9813090b1ae61fe3e02eda7b90fe4671ba10 |
| SHA256 | b4278d5e115cad717a6bbf6a810b4ce2f301dff6d5633b23c3cbb0b224470098 |
| SHA512 | a1b8809c05025854541c25f237477219f9379c3f443cd9ef96568befb6885fd58941431ed761bb4bcf9d6f3e708cd8316f017dad3e4cba59e0c562ba81d92983 |