Malware Analysis Report

2024-11-30 04:11

Sample ID 240408-bry6eacf44
Target e64fb9e075b05d27ed6481515527e067_JaffaCakes118
SHA256 1dbb20ec25119ceba967e4fb7d2cb0b3b6fb2a4febd5b001f4adabe5da7cab8a
Tags
upx persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1dbb20ec25119ceba967e4fb7d2cb0b3b6fb2a4febd5b001f4adabe5da7cab8a

Threat Level: Shows suspicious behavior

The file e64fb9e075b05d27ed6481515527e067_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:23

Reported

2024-04-08 01:25

Platform

win7-20231129-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KF6E5M~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe

C:\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2356-1-0x0000000000910000-0x0000000000927000-memory.dmp

\Users\Admin\AppData\Local\Temp\kf6E5MMIBojIj4A.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/2356-14-0x0000000000910000-0x0000000000927000-memory.dmp

memory/2356-16-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/2356-9-0x00000000000E0000-0x00000000000F7000-memory.dmp

memory/2228-20-0x0000000001290000-0x00000000012A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:23

Reported

2024-04-08 01:25

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EQKAC7~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e64fb9e075b05d27ed6481515527e067_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe

C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2504-0-0x0000000000800000-0x0000000000817000-memory.dmp

memory/408-10-0x00000000008A0000-0x00000000008B7000-memory.dmp

memory/2504-8-0x0000000000800000-0x0000000000817000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

C:\Users\Admin\AppData\Local\Temp\EQkac7WtLhaCi6H.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 cecf39169f30ebe6942389507bb1f1b0
SHA1 ea44d53f5cfc07ca3fbefbd16e0d4f663ece9b50
SHA256 4326386542267aadaede9d8644e33217f9de259bab73466fe63e8f920309227f
SHA512 1a55cdca9690259e34ba31d7e7fe7b330d88ad03cb0c528982b58e720ba3de32556529a4e35bfbe4a62d111e76de75f852c02c11cd152c5b2253d63648f287a4