Malware Analysis Report

2024-11-30 02:49

Sample ID 240407-wtvwzsba68
Target e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118
SHA256 22d8a5314c14ff7e05e5af65b90e1233a030e782845c4753386ba42f62c9ad40
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

22d8a5314c14ff7e05e5af65b90e1233a030e782845c4753386ba42f62c9ad40

Threat Level: Shows suspicious behavior

The file e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

UPX packed file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:13

Reported

2024-04-07 18:15

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe

C:\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2076-0-0x0000000000180000-0x0000000000199000-memory.dmp

\Users\Admin\AppData\Local\Temp\GQF4lMPexfXM3Kp.exe

MD5 4a895ec6c5a9df94820219ef525cf65a
SHA1 525dd15cdeec20966d61c5f0a81667cd931349cb
SHA256 949b6765d794c53656c9afc45b90d9a2cfcae6bb30444086b29225f19242217b
SHA512 a830996a8aae3d25bd21283f4f19ea295d6caa31ab98d14f5bacc15fee64264170348ca03c7bd390e6107274fb91923e24f4c6a6dca09a5354ae47d4109ed611

memory/2076-11-0x0000000000180000-0x0000000000199000-memory.dmp

C:\Windows\CTS.exe

MD5 38e4f5afdf9e20dbbbf0dabeae60ac61
SHA1 c3088ed7d787289699b3148b33e1a8029cd2c451
SHA256 0a8fc497cc0ed3257ca11dc16ce5b0782434ee3e873d2d8b523dbb1a3fc731af
SHA512 ee65cb323ea38bdcb0bd58daccef49a2a8784682c80bcd4a7231331e642af24643a326ce7f286e4e9113220dad3ad5958ee1d9b55bc49266568fea2e11a6717f

memory/2100-13-0x00000000000C0000-0x00000000000D9000-memory.dmp

memory/2100-18-0x00000000000C0000-0x00000000000D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:13

Reported

2024-04-07 18:16

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58ccb3f6e1391ee6595642366e1755f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe

C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=2284,i,13100272738549420251,6151825632958897606,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.186.170:443 chromewebstore.googleapis.com tcp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 170.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2332-0-0x0000000000F30000-0x0000000000F49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vqjIb8CWvOfVnCF.exe

MD5 4a895ec6c5a9df94820219ef525cf65a
SHA1 525dd15cdeec20966d61c5f0a81667cd931349cb
SHA256 949b6765d794c53656c9afc45b90d9a2cfcae6bb30444086b29225f19242217b
SHA512 a830996a8aae3d25bd21283f4f19ea295d6caa31ab98d14f5bacc15fee64264170348ca03c7bd390e6107274fb91923e24f4c6a6dca09a5354ae47d4109ed611

C:\Windows\CTS.exe

MD5 38e4f5afdf9e20dbbbf0dabeae60ac61
SHA1 c3088ed7d787289699b3148b33e1a8029cd2c451
SHA256 0a8fc497cc0ed3257ca11dc16ce5b0782434ee3e873d2d8b523dbb1a3fc731af
SHA512 ee65cb323ea38bdcb0bd58daccef49a2a8784682c80bcd4a7231331e642af24643a326ce7f286e4e9113220dad3ad5958ee1d9b55bc49266568fea2e11a6717f

memory/2332-9-0x0000000000F30000-0x0000000000F49000-memory.dmp

memory/2664-10-0x0000000000D10000-0x0000000000D29000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 4a177ba2aedb654220c9b49ef35e8390
SHA1 a41f9813090b1ae61fe3e02eda7b90fe4671ba10
SHA256 b4278d5e115cad717a6bbf6a810b4ce2f301dff6d5633b23c3cbb0b224470098
SHA512 a1b8809c05025854541c25f237477219f9379c3f443cd9ef96568befb6885fd58941431ed761bb4bcf9d6f3e708cd8316f017dad3e4cba59e0c562ba81d92983