d7ae929f58548441534ba9f73b0b735b159463ac7c27e0dbb26515c91bdf4c2a

Analysis

max time kernel
142s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe
Size

59KB
MD5

ea4f38c697dc2a7684083226a3c119cf
SHA1

1f0c7715573fc44752badc04380532d849f1e998
SHA256

d7ae929f58548441534ba9f73b0b735b159463ac7c27e0dbb26515c91bdf4c2a
SHA512

74942dc30792bac00c5f48ae90950595bb957bafa1a023f97093d536de2406f042c9e37280db7d1e703726abf110965bd7e1d64cb7d246a0315a02b652b2b055
SSDEEP

768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFGocAX3LKew369lp2z34:SKcR4mjD9r823FHKcR4mjD9r823F9

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3804-0-0x00000000001A0000-0x00000000001B7000-memory.dmp	upx
behavioral2/files/0x000700000002332a-6.dat	upx
behavioral2/memory/316-7-0x0000000000940000-0x0000000000957000-memory.dmp	upx
behavioral2/memory/3804-9-0x00000000001A0000-0x00000000001B7000-memory.dmp	upx
behavioral2/files/0x00050000000226b0-12.dat	upx
behavioral2/files/0x0007000000023329-29.dat	upx
behavioral2/memory/316-31-0x0000000000940000-0x0000000000957000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe
Token: SeDebugPrivilege	316	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 316	3804	ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe	92
PID 3804 wrote to memory of 316	3804	ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe	92
PID 3804 wrote to memory of 316	3804	ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea4f38c697dc2a7684083226a3c119cf_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4432 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:8
1⤵
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
380KB

MD5
3dc7ba45d13f2d3e871e3032cc898d76

SHA1
96504f4f49bd6e9ccee375096fe4762fab686217

SHA256
14cbf342dbf873cb8ffe7bea09c15f3189d77e3122dee6ca47007cdd8b96372c

SHA512
2d9f0d75220a9ce97c8f46f882c352dc818544d0c5648ef40ad6fafaa59bb82197b4c623f09d18e1786870009cc1fdd4713fabe3518343317c7463944db52753

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQRgr9ZGQAck2aB.exe

Filesize
59KB

MD5
8ba572d8dd1ec8b97a4bc6924ddad5db

SHA1
250ba10fb83920cb81e1a7e0a49e18d295d3a43f

SHA256
86c4633b07d0c733ac15140b505953342bc34d483f8b52f865a3c637fcd9ca1b

SHA512
050ce4d08263c49117db0be72de8c5af94f04027ffa1f8fa4b535297415748a92d79c491dffa5a36210d6866281491b08050430e80d117705c8c76793469d027

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
5efd390d5f95c8191f5ac33c4db4b143

SHA1
42d81b118815361daa3007f1a40f1576e9a9e0bc

SHA256
6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

SHA512
720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

Download Submit
memory/316-7-0x0000000000940000-0x0000000000957000-memory.dmp

Filesize
92KB

Download
memory/316-31-0x0000000000940000-0x0000000000957000-memory.dmp

Filesize
92KB

Download
memory/3804-0-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/3804-9-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads