Malware Analysis Report

2024-11-30 04:12

Sample ID 240408-brgw5ace31
Target e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118
SHA256 ffde756ffbea6f4f298dc943a6983d836d70fa48eeaa9aeb5c522beac06ae9f7
Tags
persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ffde756ffbea6f4f298dc943a6983d836d70fa48eeaa9aeb5c522beac06ae9f7

Threat Level: Shows suspicious behavior

The file e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer upx

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:22

Reported

2024-04-08 01:25

Platform

win7-20240221-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2208-0-0x0000000000810000-0x0000000000827000-memory.dmp

C:\Windows\CTS.exe

MD5 93e5f18caebd8d4a2c893e40e5f38232
SHA1 fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256 a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

memory/2720-12-0x0000000001260000-0x0000000001277000-memory.dmp

memory/2208-9-0x0000000000810000-0x0000000000827000-memory.dmp

memory/2208-5-0x0000000000160000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P7OegHYgs46Hh7A.exe

MD5 fa9f781e877af2933e62d539419e9bb9
SHA1 832555b3fb4c20e5ff7e2df07871b1d7832b0f51
SHA256 e281f02029620dad3c118ac86ca2da14c1116b282400d1791ef9e9c3299dbf6a
SHA512 69592583bc839701662ce7ea287205baa9aada83872d3825479eef3ef52f6687e96a14b0989831a7a5d3ac29945ef82992897686d824f47cabd68d8cb26b2c21

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:22

Reported

2024-04-08 01:25

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e64f950b934bf9514a8e62d0f8d64734_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/2032-0-0x0000000000040000-0x0000000000057000-memory.dmp

C:\Windows\CTS.exe

MD5 93e5f18caebd8d4a2c893e40e5f38232
SHA1 fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256 a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

memory/2032-7-0x0000000000040000-0x0000000000057000-memory.dmp

memory/4108-8-0x0000000000E90000-0x0000000000EA7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 c810ab75b3b181ec8cf1ea0c34004144
SHA1 dc1fd8a0eaacdc5a4716d2ab5f4f28f918f90810
SHA256 b2e78f096eaf931bfa8fdb020346d645f5f823d7fe8ef20e3fb2f56ff9e4b763
SHA512 0191a20fd34140e23e7f694009aae31cc817a2eb8ada8c5e7b9b1a7eb2c22324dbfca8428a770f428737e550193b74dccee725b37905a813f96d08dac49e64d0

C:\Users\Admin\AppData\Local\Temp\Fqlw8m0IDiQExYi.exe

MD5 92ca78977fae6f21e650dca0c6ca5626
SHA1 ea07640d53fae89198c55fce2be6c4f05b2e72a6
SHA256 69819a211af673cc301c55eb501cbb737bdf52ca69b0c75d4d9058cd66ade33a
SHA512 7c3c9a8f931ae41c92bc569b96176e64d6d6b669c7f04d3f66cd6aeca60ddd72871becbd91cceb3734c4798282bed44a10b3d9b506831195d79ae7d58e42df40

memory/4108-32-0x0000000000E90000-0x0000000000EA7000-memory.dmp