Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-yef6dsce8w
Target e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118
SHA256 7675ab50699f3a876018fd3378946d59dfbcd5d4a3e7be7fee30f5216d9298c4
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7675ab50699f3a876018fd3378946d59dfbcd5d4a3e7be7fee30f5216d9298c4

Threat Level: Shows suspicious behavior

The file e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:41

Reported

2024-04-07 19:44

Platform

win7-20240221-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe
PID 1600 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe
PID 1600 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe
PID 1600 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe
PID 1600 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1600 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1600 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1600 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe C:\Windows\CTS.exe
PID 1940 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 1940 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 1940 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe

C:\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 376

Network

N/A

Files

memory/1600-0-0x0000000000390000-0x00000000003A7000-memory.dmp

\Users\Admin\AppData\Local\Temp\3JVlSSmlvpVXUWZ.exe

MD5 e115521ba14b75f53dcdff087ec6898f
SHA1 87103a892bb514a93d485fba221bacb9da3aae25
SHA256 59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512 ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1600-14-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/1600-12-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/1600-9-0x0000000000390000-0x00000000003A7000-memory.dmp

memory/2508-15-0x0000000000FB0000-0x0000000000FC7000-memory.dmp

memory/1940-18-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

memory/1940-19-0x0000000000AA0000-0x0000000000B20000-memory.dmp

memory/2616-20-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/1940-23-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

memory/1940-24-0x0000000000AA0000-0x0000000000B20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:41

Reported

2024-04-07 19:44

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KnMOA6FzUKY6psh.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5b592e5d59cc9eaf78c2cc5ef554171_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\KnMOA6FzUKY6psh.exe

C:\Users\Admin\AppData\Local\Temp\KnMOA6FzUKY6psh.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 804

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/4332-0-0x0000000000530000-0x0000000000547000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KnMOA6FzUKY6psh.exe

MD5 e115521ba14b75f53dcdff087ec6898f
SHA1 87103a892bb514a93d485fba221bacb9da3aae25
SHA256 59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29
SHA512 ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4776-9-0x0000000000D30000-0x0000000000D47000-memory.dmp

memory/4332-7-0x0000000000530000-0x0000000000547000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 55be7f9f56974953e2bf17a256160a53
SHA1 bc9332df52a216db59cecb1b5fa28cd6d3f6f7e8
SHA256 e5d6a20b2543d478634a313dfb1771e1154be28466895d52a522fb98c7c78214
SHA512 63a1e1491aa9a9eccd7dc12db3062c29148e72b30a201d5abfa0b6fc09574e7dbfe861c897f062d9a3d4955c87e44a3a75f4440cb2c5b7c28175c35001cd19bf

memory/2984-27-0x00007FF8BF440000-0x00007FF8BFDE1000-memory.dmp

memory/2984-28-0x00007FF8BF440000-0x00007FF8BFDE1000-memory.dmp

memory/2984-29-0x0000000001110000-0x0000000001120000-memory.dmp

memory/2984-39-0x00007FF8BF440000-0x00007FF8BFDE1000-memory.dmp

memory/4776-40-0x0000000000D30000-0x0000000000D47000-memory.dmp