Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 01:22
Behavioral task
behavioral1
Sample
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe
-
Size
41KB
-
MD5
e64f950b934bf9514a8e62d0f8d64734
-
SHA1
73a9bd2e9c68096cd04f9ab5ff0b0cf263c273b4
-
SHA256
ffde756ffbea6f4f298dc943a6983d836d70fa48eeaa9aeb5c522beac06ae9f7
-
SHA512
7979ced1a6bca4de517bc8d75c83c3c7c9c507e14f1d2e857c8489424226d889eaef8153b17edeaac572f08be50e66748e0098d6247a024e260beddb89e86c4f
-
SSDEEP
768:X8Q2ZDX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIom46+IHtScNC7:s9Z3KcR4mjD9r8226+GNs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CTS.exepid Process 2720 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000810000-0x0000000000827000-memory.dmp upx behavioral1/files/0x000c000000015a2d-8.dat upx behavioral1/memory/2720-12-0x0000000001260000-0x0000000001277000-memory.dmp upx behavioral1/memory/2208-9-0x0000000000810000-0x0000000000827000-memory.dmp upx behavioral1/memory/2208-5-0x0000000000160000-0x0000000000177000-memory.dmp upx behavioral1/files/0x000b000000012241-15.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exeCTS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
Processes:
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exeCTS.exedescription ioc Process File created C:\Windows\CTS.exe e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exeCTS.exedescription pid Process Token: SeDebugPrivilege 2208 e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe Token: SeDebugPrivilege 2720 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exedescription pid Process procid_target PID 2208 wrote to memory of 2720 2208 e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2720 2208 e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2720 2208 e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe 28 PID 2208 wrote to memory of 2720 2208 e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5fa9f781e877af2933e62d539419e9bb9
SHA1832555b3fb4c20e5ff7e2df07871b1d7832b0f51
SHA256e281f02029620dad3c118ac86ca2da14c1116b282400d1791ef9e9c3299dbf6a
SHA51269592583bc839701662ce7ea287205baa9aada83872d3825479eef3ef52f6687e96a14b0989831a7a5d3ac29945ef82992897686d824f47cabd68d8cb26b2c21
-
Filesize
35KB
MD593e5f18caebd8d4a2c893e40e5f38232
SHA1fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54