Malware Analysis Report

2024-11-30 04:12

Sample ID 240408-bg3e3scb2z
Target e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118
SHA256 9b0947c245b33bfca8adbdb1637c304aac1893db2c6779689b1287da222509ee
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9b0947c245b33bfca8adbdb1637c304aac1893db2c6779689b1287da222509ee

Threat Level: Shows suspicious behavior

The file e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:07

Reported

2024-04-08 01:10

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1260-0-0x0000000000370000-0x0000000000387000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/2328-8-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

memory/1260-7-0x0000000000370000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 15298a05bbcd423db28574a46469c570
SHA1 c48d3bf0d1e49db6e03c1b7d9610077488ca62f8
SHA256 9aac3651a08b31af4564b065dff7678d700bf9658353752fcac235fce93e2db1
SHA512 926d707857a20a03e8a8a83d999e9ea282fe0cfa4c3b7595f54bd6f3acf5bce4598fdbb4f0d3eab7cffbeb97bf3e40e0648a0f79bd0114658453f2e6dd3b21e8

C:\Users\Admin\AppData\Local\Temp\bMZwJZbbjROS47u.exe

MD5 99a17225f44b19320941885b6d5d4aa3
SHA1 b28e07fbde49731670eca05dbdd0264ef11566f9
SHA256 d3329cf7397654a7d111030c86f0722c34dfa91f63730509fed2d18de0f5192e
SHA512 934884b3e98d0934761cb22d0c610273394d8d366fddc3895b9e008bf144a9a3511db5d3b6d1501e3cca1af39f0622906d83858ad38a71f5b8ea4b2228720064

memory/2328-32-0x0000000000BE0000-0x0000000000BF7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:07

Reported

2024-04-08 01:10

Platform

win7-20240215-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6491b6bc0e1d5f32d4cb9380a55c322_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1888-0-0x0000000000850000-0x0000000000867000-memory.dmp

memory/1888-8-0x0000000000850000-0x0000000000867000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/1888-11-0x0000000000070000-0x0000000000087000-memory.dmp

memory/2504-12-0x00000000001B0000-0x00000000001C7000-memory.dmp

memory/1888-18-0x0000000000070000-0x0000000000087000-memory.dmp