25828b4bc1f5a5f372278c988a80d9b8b25afb59ec6d8a288028112750296490

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 06:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe
Size

71KB
MD5

f53358c23430e1fc777ca0845ee0cd68
SHA1

a88ce9366ffb09b5091d39d643472b7459b61763
SHA256

25828b4bc1f5a5f372278c988a80d9b8b25afb59ec6d8a288028112750296490
SHA512

d807d6a5cbe2f60412941dda01f230d09ad9d8e18b46393c5a86afa38cd3924289488bf4e94c052901f12fc37fafc1cd386f1e32f0579e3171d71607eea7375b
SSDEEP

1536:s9Z3KcR4mjD9r8226+v9Z3KcR4mjD9r8226+r:sr3KcWmjRrzSvr3KcWmjRrzSr

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2080	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-0-0x00000000009F0000-0x0000000000A07000-memory.dmp	upx
behavioral2/files/0x0007000000023281-6.dat	upx
behavioral2/memory/2080-9-0x0000000000BB0000-0x0000000000BC7000-memory.dmp	upx
behavioral2/memory/3596-8-0x00000000009F0000-0x0000000000A07000-memory.dmp	upx
behavioral2/files/0x0003000000022947-12.dat	upx
behavioral2/files/0x0005000000022a73-29.dat	upx
behavioral2/memory/2080-32-0x0000000000BB0000-0x0000000000BC7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe
Token: SeDebugPrivilege	2080	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2080	3596	f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe	83
PID 3596 wrote to memory of 2080	3596	f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe	83
PID 3596 wrote to memory of 2080	3596	f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f53358c23430e1fc777ca0845ee0cd68_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
395KB

MD5
24ea0b60ea8137e5e6d1a044d2338ebb

SHA1
2620de9617cd35179bb9b7df47c59c5da6176576

SHA256
b152f6342a14d88f853c94ff276534e3d77aaa2bef3824757f2f2837fcc66ebd

SHA512
84254f7d544d014b32c789ada403471523e56e74d1578b3676a7bf5683bfe88e510ab1d9f6ae00cabecc57ed12883ac048b4ce2986f951dc46ea00af18de92e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSQCvyZqY5Tkq8t.exe

Filesize
71KB

MD5
8ecdfc4c06bc4788086a651299b8423d

SHA1
430f1bd51fe3c8d8bc6e4f89fe5e88cf5eaae7a8

SHA256
d362d9c7c9d429f75ec0c5b87c0248b1df48f447682cb3f7f19b2d8ae647d6d9

SHA512
b1d0e054fc6e308564ac7dc16882450be56d6a5d7e57412a2a571d2ccac6bd22d7937a9b888872a94d8a0b23b62c6228f236ae41b046279a9f9898976609618b

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
22069d1278ebf7d1758e20c4b118c39a

SHA1
cfd6c00953bc91dfa91a809e99a230b0ad222eec

SHA256
c4875ef691c5e0dbcdc5dd700f610042ec63e251f184150eeb3e7ab1dde3c9ba

SHA512
7ffbb4fce2779e7dc7ea19773a843eb174eb9e8dfc136a45ce8606c6c1657887f73409bfc780c391fe38dacc56c8a6ca4f84d3656236d631b42ec2946346b61d

Download Submit
memory/2080-9-0x0000000000BB0000-0x0000000000BC7000-memory.dmp

Filesize
92KB

Download
memory/2080-32-0x0000000000BB0000-0x0000000000BC7000-memory.dmp

Filesize
92KB

Download
memory/3596-0-0x00000000009F0000-0x0000000000A07000-memory.dmp

Filesize
92KB

Download
memory/3596-8-0x00000000009F0000-0x0000000000A07000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads