17c067a6ae9fb6e09106d88bf502704690e1a0a78226ae1a9a8a6ef342de94d6

General

Target

604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
Size

880KB
MD5

604b7144703850d7e96512d2c248d83a
SHA1

4cd2e73d789ce9b9ed6913756127cc44a44b2354
SHA256

17c067a6ae9fb6e09106d88bf502704690e1a0a78226ae1a9a8a6ef342de94d6
SHA512

c5cccde77d3045f954b3997cb85a2644fd867dfae870e35ff4c38ab55de9ce733342c971e24066fc38affee30feb94af34236b3fa0a9343dced882c3d40a579d
SSDEEP

12288:smpwTPsMKBuJdwBiaB0ZtbaXAC+KbkmVTxFoqn0HuAAnlYO+aebxpJfoMDtiW39b:eLsoi0XRKbkm1t1Dh+aebxpJgWNtT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1760	ZDWFC5O8RdBa49J.exe
1304	CTS.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
968	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2564-0-0x00000000009B0000-0x00000000009C9000-memory.dmp	upx
behavioral1/files/0x0008000000016d81-13.dat	upx
behavioral1/memory/1304-14-0x0000000000A90000-0x0000000000AA9000-memory.dmp	upx
behavioral1/memory/2564-12-0x00000000009B0000-0x00000000009C9000-memory.dmp	upx
behavioral1/files/0x000c000000016d58-65.dat	upx
behavioral1/memory/1304-67-0x0000000000A90000-0x0000000000AA9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
Token: SeDebugPrivilege	1304	CTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1760	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	29
PID 2564 wrote to memory of 1760	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	29
PID 2564 wrote to memory of 1760	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	29
PID 2564 wrote to memory of 1760	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	29
PID 2564 wrote to memory of 1304	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	31
PID 2564 wrote to memory of 1304	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	31
PID 2564 wrote to memory of 1304	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	31
PID 2564 wrote to memory of 1304	2564	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\ZDWFC5O8RdBa49J.exe
  C:\Users\Admin\AppData\Local\Temp\ZDWFC5O8RdBa49J.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZDWFC5O8RdBa49J.exe

Filesize
880KB

MD5
23490090b5d4c584d106584770b1adc4

SHA1
8c3644645dd6a321402bc6106f4920617cbc0c8e

SHA256
b27265f59f63309c5e9687b480ac57be70347ce7cddc2fcdb558929148fe2287

SHA512
a8a72f3d97b0e34fd385ead4c0f4f499302171d659aa0e9bfb94a48c8f3a87d446c73bdf25cf3a7d450966d973a0e0fa8be3573e747c8c2427b50586751925f1

Download Submit
C:\Windows\CTS.exe

Filesize
356KB

MD5
9b1fa431ef31963787011ad0f81b7c3d

SHA1
c559dd90430b1037b885e4f5dcf72caf9917e8c6

SHA256
4ccc5522de0fff05df0a0b6de968c6273c30754b56f893679c88d3effa7fc9f2

SHA512
c45c2d0c57b17eded3bb327f8c20d74bd15d54998cc79806cd5901f979fcb93458c5cde1899cf69b7701e6d66efa729c70a996d0b8352b5833dc9f4a0e32cc7f

Download Submit
\Users\Admin\AppData\Local\Temp\ZDWFC5O8RdBa49J.exe

Filesize
524KB

MD5
645d5875c0ce2052d93943c62238a06e

SHA1
38c00dfaa6e0192e1157212d5baf42a8db869776

SHA256
66ef54018ef1207394bef76bcb0411f2fbbedd6230a812026bf8f1710218dbf9

SHA512
eb9654b527ddc15fae042ef6fa6b8a25f76c2fc21314abd1d629bac5066cfa11d9f3c1191150dc7784b20e5e47c4855ab97d34fadf904989a7a43ccd626949fe

Download Submit
memory/1304-14-0x0000000000A90000-0x0000000000AA9000-memory.dmp

Filesize
100KB

Download
memory/1304-67-0x0000000000A90000-0x0000000000AA9000-memory.dmp

Filesize
100KB

Download
memory/2564-0-0x00000000009B0000-0x00000000009C9000-memory.dmp

Filesize
100KB

Download
memory/2564-12-0x00000000009B0000-0x00000000009C9000-memory.dmp

Filesize
100KB

Download
memory/2564-7-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads