3e18a734492334e90f064e61e71ec5615e365467535be81dd45da69f5322f281

General

Target

f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe
Size

1.9MB
MD5

f04990a5b976d6c5627f1c2f3a73c81c
SHA1

e9de8d434ba3cf3b0f0c982482353209d88986e1
SHA256

3e18a734492334e90f064e61e71ec5615e365467535be81dd45da69f5322f281
SHA512

aa6023901877c0e19c533d765e44efb5f691dc200a02c779126c0fb2c31e1a8f7fd4a145a312b37ccdf3765beb41e855da49d6404a43ac1fa21190d56ede18ad
SSDEEP

49152:h3xmfcPpddbGR005DFG5Ir4XaFTYhB94hCt3+FO/LYI:DmfcPXd6RzM5IMXaehBa80I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1792	hsskF0A10Lri1uQ.exe
2176	CTS.exe
2560	hsskF0A10Lri1uQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe
1792	hsskF0A10Lri1uQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000EA0000-0x0000000000EB7000-memory.dmp	upx
behavioral1/memory/2360-17-0x0000000000EA0000-0x0000000000EB7000-memory.dmp	upx
behavioral1/files/0x000c00000001342e-20.dat	upx
behavioral1/memory/2176-25-0x00000000002B0000-0x00000000002C7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	hsskF0A10Lri1uQ.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	hsskF0A10Lri1uQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	hsskF0A10Lri1uQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe
Token: SeDebugPrivilege	2176	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2560	hsskF0A10Lri1uQ.exe
2560	hsskF0A10Lri1uQ.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 1792	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	28
PID 2360 wrote to memory of 2176	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2176	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2176	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2176	2360	f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe	29
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30
PID 1792 wrote to memory of 2560	1792	hsskF0A10Lri1uQ.exe	30

C:\Users\Admin\AppData\Local\Temp\f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f04990a5b976d6c5627f1c2f3a73c81c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\hsskF0A10Lri1uQ.exe
  C:\Users\Admin\AppData\Local\Temp\hsskF0A10Lri1uQ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\jds259394188.tmp\hsskF0A10Lri1uQ.exe
    "C:\Users\Admin\AppData\Local\Temp\jds259394188.tmp\hsskF0A10Lri1uQ.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2560
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds259394188.tmp\hsskF0A10Lri1uQ.exe

Filesize
1.6MB

MD5
109cbe148f827137c3ba62261f01b29b

SHA1
2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12

SHA256
394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a

SHA512
a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
2c12617b0dc6cd28610813bd47a84d50

SHA1
6a4e5850248cf988d5b78933b6c146e7d9f72196

SHA256
739da0105b8e12c7efb8bd52d11c9b025370d9759cbd68bc0857902c1e595ccd

SHA512
c874940f05eac45eccb6324426b6ed891ffcf8f4c0dfe258f426ddb08d5e09d35df3ed7ed3692a11e58899c0ff648a09a12ac75ca185bad50c337a9cff958f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
1de95defaa925fc93e1a1f2bf49eaa72

SHA1
a1b5a92312d5e8292612d1e379b4b48795eed840

SHA256
7e0eed3d8758764ecb2663b96c4f490e4730d7b5b64a487ff106e45605871f7a

SHA512
20719a6938881137bbc46a3fd285b7532ee4aa90611461bfb0b6d9f02539af3d61ebf82738cdfab89438f3d606c4849b84243796564f742731eae8d2dfc2031d

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
5efd390d5f95c8191f5ac33c4db4b143

SHA1
42d81b118815361daa3007f1a40f1576e9a9e0bc

SHA256
6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

SHA512
720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

Download Submit
\Users\Admin\AppData\Local\Temp\hsskF0A10Lri1uQ.exe

Filesize
1.8MB

MD5
544e07d620d3108b9b6aa3384d02dea5

SHA1
9897596f3c4ec39e38ef7f1081783db7693ae0b2

SHA256
a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8

SHA512
3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

Download Submit
memory/2176-25-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2360-0-0x0000000000EA0000-0x0000000000EB7000-memory.dmp

Filesize
92KB

Download
memory/2360-17-0x0000000000EA0000-0x0000000000EB7000-memory.dmp

Filesize
92KB

Download
memory/2360-21-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2360-18-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2360-183-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads