d06ffce4cc09b64c5902013e5941be8f7d969112d76c93a8247a3f64b65a0dfc

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f876b46999107423733c5fdd244d710b_JaffaCakes118.exe
Size

46KB
MD5

f876b46999107423733c5fdd244d710b
SHA1

2f33c4497f32dd069f41a0be0654326a8c99deb4
SHA256

d06ffce4cc09b64c5902013e5941be8f7d969112d76c93a8247a3f64b65a0dfc
SHA512

b2e45b52d1c158929ebcfc8206e77f6ee77d30f4bdac0116d6df478a2e1eaf70053dcb7f0d5cdb890b0275c2f9321ca3ec8b9ab93c98503d4cf9be8a841e9a66
SSDEEP

768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFB6TB2d6M9uQ1wi05H9C:SKcR4mjD9r823FB612dN97B05fyB

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1636	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-1-0x0000000000870000-0x0000000000887000-memory.dmp	upx
behavioral1/memory/2868-8-0x0000000000870000-0x0000000000887000-memory.dmp	upx
behavioral1/files/0x000c00000001269e-7.dat	upx
behavioral1/memory/1636-13-0x0000000000DF0000-0x0000000000E07000-memory.dmp	upx
behavioral1/files/0x000a000000012254-15.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe
Token: SeDebugPrivilege	1636	CTS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1636	2868	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe	28
PID 2868 wrote to memory of 1636	2868	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe	28
PID 2868 wrote to memory of 1636	2868	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe	28
PID 2868 wrote to memory of 1636	2868	f876b46999107423733c5fdd244d710b_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f876b46999107423733c5fdd244d710b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f876b46999107423733c5fdd244d710b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZrZROeeJIMZpx89.exe

Filesize
46KB

MD5
9588fa40cba6823d47476b8ba85dcc9f

SHA1
d214e42e78bb28a5419572c9449132fa78ea517a

SHA256
9dfc3819c810495a87ac754356fa8ee6599b69c503af6bfc4535b9f0e5b7f541

SHA512
8b5e3a36137c0c02a72f52895ae8791f78a0435110e6a1042ed9e9895cc3a2fded195a7de2d53205ef283ab57a4a4eb6bd408c2b04bd9911db975279a609f8e3

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/1636-13-0x0000000000DF0000-0x0000000000E07000-memory.dmp

Filesize
92KB

Download
memory/2868-1-0x0000000000870000-0x0000000000887000-memory.dmp

Filesize
92KB

Download
memory/2868-8-0x0000000000870000-0x0000000000887000-memory.dmp

Filesize
92KB

Download
memory/2868-9-0x0000000000070000-0x0000000000087000-memory.dmp

Filesize
92KB

Download
memory/2868-12-0x0000000000070000-0x0000000000087000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads