Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 01:23

General

  • Target

    e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe

  • Size

    318KB

  • MD5

    e64fb9e075b05d27ed6481515527e067

  • SHA1

    20037657e46a41049b688141e5894e7a11947ea1

  • SHA256

    1dbb20ec25119ceba967e4fb7d2cb0b3b6fb2a4febd5b001f4adabe5da7cab8a

  • SHA512

    f61a47f95e4cd05ae0fc7c08c10e48e3db2b789be7543a0c47a4e0cb0e1e128ffaf930ae9d4c17d0fef487349a8340953986b7e0a54486cb169d5bfd0efa2209

  • SSDEEP

    6144:hGWjO2vrrtHF1RkG1P+RtzzpQ9q4qxt2Q3H5ty9eThB3FcN99:hPO4pHFswmRtz9Ql6Lf0sjVo9

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe
      C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4176
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

    Filesize

    352KB

    MD5

    cecf39169f30ebe6942389507bb1f1b0

    SHA1

    ea44d53f5cfc07ca3fbefbd16e0d4f663ece9b50

    SHA256

    4326386542267aadaede9d8644e33217f9de259bab73466fe63e8f920309227f

    SHA512

    1a55cdca9690259e34ba31d7e7fe7b330d88ad03cb0c528982b58e720ba3de32556529a4e35bfbe4a62d111e76de75f852c02c11cd152c5b2253d63648f287a4

  • C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe

    Filesize

    288KB

    MD5

    880e155f8f47fb0db7b2080e71d59568

    SHA1

    2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629

    SHA256

    6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44

    SHA512

    70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

  • C:\Windows\CTS.exe

    Filesize

    29KB

    MD5

    70aa23c9229741a9b52e5ce388a883ac

    SHA1

    b42683e21e13de3f71db26635954d992ebe7119e

    SHA256

    9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

    SHA512

    be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

  • memory/408-10-0x00000000008A0000-0x00000000008B7000-memory.dmp

    Filesize

    92KB

  • memory/2504-0-0x0000000000800000-0x0000000000817000-memory.dmp

    Filesize

    92KB

  • memory/2504-8-0x0000000000800000-0x0000000000817000-memory.dmp

    Filesize

    92KB