17c067a6ae9fb6e09106d88bf502704690e1a0a78226ae1a9a8a6ef342de94d6

General

Target

604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
Size

880KB
MD5

604b7144703850d7e96512d2c248d83a
SHA1

4cd2e73d789ce9b9ed6913756127cc44a44b2354
SHA256

17c067a6ae9fb6e09106d88bf502704690e1a0a78226ae1a9a8a6ef342de94d6
SHA512

c5cccde77d3045f954b3997cb85a2644fd867dfae870e35ff4c38ab55de9ce733342c971e24066fc38affee30feb94af34236b3fa0a9343dced882c3d40a579d
SSDEEP

12288:smpwTPsMKBuJdwBiaB0ZtbaXAC+KbkmVTxFoqn0HuAAnlYO+aebxpJfoMDtiW39b:eLsoi0XRKbkm1t1Dh+aebxpJgWNtT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1600	fwKeqZdJFGi3fng.exe
2700	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/888-0-0x00000000009F0000-0x0000000000A09000-memory.dmp	upx
behavioral2/files/0x00080000000234c6-7.dat	upx
behavioral2/memory/2700-8-0x0000000000590000-0x00000000005A9000-memory.dmp	upx
behavioral2/memory/888-9-0x00000000009F0000-0x0000000000A09000-memory.dmp	upx
behavioral2/files/0x000700000002335a-12.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
Token: SeDebugPrivilege	2700	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 1600	888	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	84
PID 888 wrote to memory of 1600	888	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	84
PID 888 wrote to memory of 2700	888	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	86
PID 888 wrote to memory of 2700	888	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	86
PID 888 wrote to memory of 2700	888	604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\604b7144703850d7e96512d2c248d83a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\fwKeqZdJFGi3fng.exe
  C:\Users\Admin\AppData\Local\Temp\fwKeqZdJFGi3fng.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
677KB

MD5
de71bdffd8068dff94bab2c96ffb2be7

SHA1
f162a36010a7db9c984f85f45e5e42892c54eb9a

SHA256
ccaa32943942fbfabbcfd17dae1345e90a0e6e1c548ca74655976faacc5df6a6

SHA512
8fe383caaf0d6d31268367da80e8abdb84edbc2a2d0f3ac740507e2dbe83064aaabb12e2997a7dd6ca2bd4cc79061818014701b358067d02ac37df55c99c1dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwKeqZdJFGi3fng.exe

Filesize
880KB

MD5
6e707df69fa82afffe1f2932054ef1e4

SHA1
42190a98a7144d3ad33a5256906c3f7eca4461a4

SHA256
f7a2a13a644c377d0845e2f2b8cb9620811535cdd36ce3df9cba6d04604a2995

SHA512
e6d5877869bbffc89ea6cbe6800b0e74850816c47b810c9ca516c2e945e3fcbce5752fa3b67f143da7a779ae2a298e2da9a5711f26fb0822895c0ee4f16810bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwKeqZdJFGi3fng.exe

Filesize
524KB

MD5
645d5875c0ce2052d93943c62238a06e

SHA1
38c00dfaa6e0192e1157212d5baf42a8db869776

SHA256
66ef54018ef1207394bef76bcb0411f2fbbedd6230a812026bf8f1710218dbf9

SHA512
eb9654b527ddc15fae042ef6fa6b8a25f76c2fc21314abd1d629bac5066cfa11d9f3c1191150dc7784b20e5e47c4855ab97d34fadf904989a7a43ccd626949fe

Download Submit
C:\Windows\CTS.exe

Filesize
356KB

MD5
9b1fa431ef31963787011ad0f81b7c3d

SHA1
c559dd90430b1037b885e4f5dcf72caf9917e8c6

SHA256
4ccc5522de0fff05df0a0b6de968c6273c30754b56f893679c88d3effa7fc9f2

SHA512
c45c2d0c57b17eded3bb327f8c20d74bd15d54998cc79806cd5901f979fcb93458c5cde1899cf69b7701e6d66efa729c70a996d0b8352b5833dc9f4a0e32cc7f

Download Submit
memory/888-0-0x00000000009F0000-0x0000000000A09000-memory.dmp

Filesize
100KB

Download
memory/888-9-0x00000000009F0000-0x0000000000A09000-memory.dmp

Filesize
100KB

Download
memory/2700-8-0x0000000000590000-0x00000000005A9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads