ad18ac36c9b7a65ba4f21a44015d33e9c70c01d3745a8e93e74ef9f26b205bdc

General

Target

ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe
Size

85KB
MD5

ec9bc1d24c8c24ac60a5660f4131ce08
SHA1

ed9a4384ba1400d76d264169372aed25913d438e
SHA256

ad18ac36c9b7a65ba4f21a44015d33e9c70c01d3745a8e93e74ef9f26b205bdc
SHA512

16589c71b87a50e257dccaa243f1615408b931bbb6044ed6597dbd5db4dfb9549fce05bd48d288846fd96f60dfbdfc0777a83eeb8908c5ed1c278eeb74b19368
SSDEEP

1536:SKcR4mjD9r823FAFkuor6S5GnsnYLrbTpRfALQJHhJVBYBkCi6:SKcWmjRrz3WFkPgnsnYLjLfA0JHhn2i6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5068	NRZ3jD78JRTjK2T.exe
2768	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2312-0-0x0000000000180000-0x0000000000197000-memory.dmp	upx
behavioral2/files/0x000a00000002318e-8.dat	upx
behavioral2/memory/2768-7-0x0000000000360000-0x0000000000377000-memory.dmp	upx
behavioral2/memory/2312-9-0x0000000000180000-0x0000000000197000-memory.dmp	upx
behavioral2/files/0x000600000002275e-12.dat	upx
behavioral2/memory/2768-40-0x0000000000360000-0x0000000000377000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	CTS.exe
Token: SeBackupPrivilege	2980	dw20.exe
Token: SeBackupPrivilege	2980	dw20.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 5068	2312	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe	85
PID 2312 wrote to memory of 5068	2312	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe	85
PID 2312 wrote to memory of 2768	2312	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe	86
PID 2312 wrote to memory of 2768	2312	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe	86
PID 2312 wrote to memory of 2768	2312	ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe	86
PID 5068 wrote to memory of 2980	5068	NRZ3jD78JRTjK2T.exe	88
PID 5068 wrote to memory of 2980	5068	NRZ3jD78JRTjK2T.exe	88

C:\Users\Admin\AppData\Local\Temp\ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec9bc1d24c8c24ac60a5660f4131ce08_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\NRZ3jD78JRTjK2T.exe
  C:\Users\Admin\AppData\Local\Temp\NRZ3jD78JRTjK2T.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 812
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
354KB

MD5
a333bdabdf2d252d1de0bbd7c6929ecf

SHA1
3442bab81e8b12a5a589761501e0fb86695d7768

SHA256
6fb01e821757e18d247166d1603fe18d015ecd918a57b5d947404c0e987c5518

SHA512
f57a6d260b5ed3b095ba391fe75725359dc3aa2a9fe4ec891db7f3b05a3335cbfdb8ec0a3655cd70644df5b244f39372b5cba6437c775d53906e379154f7f031

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRZ3jD78JRTjK2T.exe

Filesize
56KB

MD5
e115521ba14b75f53dcdff087ec6898f

SHA1
87103a892bb514a93d485fba221bacb9da3aae25

SHA256
59b284d0ad4c2634938e70fae67d9048bd98422d052fbd745a9b80b5fae7ae29

SHA512
ab3d097bcf11bf7327a28124052b210f5fb13b9bfb9b7376cae1ba5c30182a330506935288a7fe06b7e3fdd82b57f5c31638f1c301738342819c772b346fa35a

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/2312-0-0x0000000000180000-0x0000000000197000-memory.dmp

Filesize
92KB

Download
memory/2312-9-0x0000000000180000-0x0000000000197000-memory.dmp

Filesize
92KB

Download
memory/2768-7-0x0000000000360000-0x0000000000377000-memory.dmp

Filesize
92KB

Download
memory/2768-40-0x0000000000360000-0x0000000000377000-memory.dmp

Filesize
92KB

Download
memory/5068-27-0x00007FFB778D0000-0x00007FFB78271000-memory.dmp

Filesize
9.6MB

Download
memory/5068-28-0x00000000016E0000-0x00000000016F0000-memory.dmp

Filesize
64KB

Download
memory/5068-29-0x00007FFB778D0000-0x00007FFB78271000-memory.dmp

Filesize
9.6MB

Download
memory/5068-39-0x00007FFB778D0000-0x00007FFB78271000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads