02e89e7b35e73877adc3c731275d08b5f223ddff424e3b688b26fd3e4d761646

General

Target

e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe
Size

347KB
MD5

e915aca96aaec5c628e81a74ce065fd8
SHA1

1c422e23a04ffeb94682bdd2814b03d646ae6b95
SHA256

02e89e7b35e73877adc3c731275d08b5f223ddff424e3b688b26fd3e4d761646
SHA512

61a209c75e047830990337108d25cb52ba2bd9eb1372de09726762df707bbbde4560835df4f502e9c65baf0088d1c62128ef5ce46a7cf9063ba3434fa5ac0d2b
SSDEEP

6144:hGyGcOl9Pkfde5IXufAV6nOi1+K5kbyQGfFo2++Fsgu22TiB4Wv4o:h3u0fVXuItiPOb4fFob+FsgFTv4o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4004	fZDKDlttOQBrMu5.exe
3568	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2748-0-0x0000000000F80000-0x0000000000F97000-memory.dmp	upx
behavioral2/files/0x00070000000231fe-8.dat	upx
behavioral2/memory/2748-10-0x0000000000F80000-0x0000000000F97000-memory.dmp	upx
behavioral2/memory/3568-9-0x0000000000D90000-0x0000000000DA7000-memory.dmp	upx
behavioral2/files/0x000600000002275d-13.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell	fZDKDlttOQBrMu5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open	fZDKDlttOQBrMu5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FZDKDL~1.EXE \"%1\""	fZDKDlttOQBrMu5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.GRF	fZDKDlttOQBrMu5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph"	fZDKDlttOQBrMu5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph	fZDKDlttOQBrMu5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph"	fZDKDlttOQBrMu5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command	fZDKDlttOQBrMu5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe
Token: SeDebugPrivilege	3568	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4004	fZDKDlttOQBrMu5.exe
4004	fZDKDlttOQBrMu5.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4004	2748	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe	85
PID 2748 wrote to memory of 4004	2748	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe	85
PID 2748 wrote to memory of 3568	2748	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe	86
PID 2748 wrote to memory of 3568	2748	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe	86
PID 2748 wrote to memory of 3568	2748	e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e915aca96aaec5c628e81a74ce065fd8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\fZDKDlttOQBrMu5.exe
  C:\Users\Admin\AppData\Local\Temp\fZDKDlttOQBrMu5.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4004
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
380KB

MD5
b09f4436adaf60b8323a2775442d68bf

SHA1
b94715a7c6b12938781099f16d13030c72d3bb8a

SHA256
64006bf5f0b13f3df18050a250d4c1c65e976149db6fdf2b99a2074d80606243

SHA512
620f66e47012a28472c93facbbb23672a77a806d463fc6fae1a901684e265dd315ec498125bcb3f3df6ca86673cfe417dcd6e5e17f6e9c254bd157b6afb10345

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZDKDlttOQBrMu5.exe

Filesize
288KB

MD5
880e155f8f47fb0db7b2080e71d59568

SHA1
2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629

SHA256
6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44

SHA512
70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
5efd390d5f95c8191f5ac33c4db4b143

SHA1
42d81b118815361daa3007f1a40f1576e9a9e0bc

SHA256
6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

SHA512
720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

Download Submit
memory/2748-0-0x0000000000F80000-0x0000000000F97000-memory.dmp

Filesize
92KB

Download
memory/2748-10-0x0000000000F80000-0x0000000000F97000-memory.dmp

Filesize
92KB

Download
memory/3568-9-0x0000000000D90000-0x0000000000DA7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads