81c93fd39192942f016c95c3610fa9a642006f0c95c36e6f413c3a44d65c6130

General

Target

fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe
Size

126KB
MD5

fe2abb4887f4b811fea010519590695c
SHA1

3a481e589ae98d056275ff64894c7933b1d39c45
SHA256

81c93fd39192942f016c95c3610fa9a642006f0c95c36e6f413c3a44d65c6130
SHA512

ecd455c34ccfadd23578765e3b2d5dfb0f8b0aacf443cbad17cb2e1494e480f55ac49eb259d7ad7fbe41f9f4072ed164b5977eedea53fab07442c608671b0da0
SSDEEP

3072:SKcWmjRrz38kbnJUpczjkSB+9ZR8K9JSRzCU86ObOp:hG1bnJ5XkSARzJ8CUFO2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3416	7K3gQFAX1ppYY9W.exe
2992	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3076-0-0x00000000001C0000-0x00000000001D7000-memory.dmp	upx
behavioral2/files/0x000800000002326c-6.dat	upx
behavioral2/memory/2992-8-0x00000000000B0000-0x00000000000C7000-memory.dmp	upx
behavioral2/memory/3076-7-0x00000000001C0000-0x00000000001D7000-memory.dmp	upx
behavioral2/files/0x00070000000224f9-13.dat	upx
behavioral2/memory/2992-32-0x00000000000B0000-0x00000000000C7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe
Token: SeDebugPrivilege	2992	CTS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3416	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe	91
PID 3076 wrote to memory of 3416	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe	91
PID 3076 wrote to memory of 3416	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe	91
PID 3076 wrote to memory of 2992	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe	92
PID 3076 wrote to memory of 2992	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe	92
PID 3076 wrote to memory of 2992	3076	fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe2abb4887f4b811fea010519590695c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\7K3gQFAX1ppYY9W.exe
  C:\Users\Admin\AppData\Local\Temp\7K3gQFAX1ppYY9W.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
750KB

MD5
d43b7a388a132b386e4b558161c73e4d

SHA1
e53daf38d886e6a7af0322e00a2cc4010905bb60

SHA256
2bfd399386db1e0ee71f3b7ad4374e4c3f397f1c8e7b7472a84a42763b204325

SHA512
2e4f2b5eb700fe3289f7c4a36861188903edd9e4e891c13fe6f82b803e8c702b2d8ea1988c038ea99f4708f9926c885b9e879266b64a0f8c6ef49defd1d7ba7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7K3gQFAX1ppYY9W.exe

Filesize
94KB

MD5
ec5e7403f86990ab23caeeb4955f5ffb

SHA1
c345479d6dc53a102ccb05259c0c858a1ddd7d8e

SHA256
352df104254095ddf925514d99bfb5411c95b5386e90caf06557979f82e16844

SHA512
679957452967a3d3f3f1c55a9a510befa2d31e3bdb825a76540e845667f61775f4d18c3b3493133dd671b380907aaae0dd380b95729a448acf48d95ca0fe5206

Download Submit
C:\Windows\CTS.exe

Filesize
32KB

MD5
7c3163444261edcf52bbb521f4f20314

SHA1
ded43c86a46927f84df6ac44681ae2d34472e39d

SHA256
e253442f216a6aafe26b6dd65866777b8b4aaa3c1ede2b908afda1ddf6aeee6e

SHA512
d1b529980ee1a138829a9dc945ebf2989bb62ace961aefde1e229e6e25f232f089d986e3cf9bfb82c708e3ed1031dc58bbf7145bb817b42abca4e420c4569235

Download Submit
memory/2992-8-0x00000000000B0000-0x00000000000C7000-memory.dmp

Filesize
92KB

Download
memory/2992-32-0x00000000000B0000-0x00000000000C7000-memory.dmp

Filesize
92KB

Download
memory/3076-0-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/3076-7-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads