966aca0c911a114a970bd05a207a6421b463315c0916f6a5b87141c4c7252084

General

Target

6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
Size

1.8MB
MD5

6319fba403cf5d1554fa4f344c2af221
SHA1

da5b2d0c75b6e4010d03b467a513203b854972dd
SHA256

966aca0c911a114a970bd05a207a6421b463315c0916f6a5b87141c4c7252084
SHA512

9cf13647dcb9b7200e87fbffb0a130f65abb768a62f336465c157834eab54a5e906882b6f2e53c01859c6c7c35873e0e135cc2f55da18e585b788d39a1c8096f
SSDEEP

49152:SGeqHcpUcmELGROOG4Adl2Dbs7Q5I8RZvI2C+:DexpUFMGQOGZn2yKBRF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1052	Do8fIJuEWA2lQwR.exe
2700	CTS.exe
2868	Do8fIJuEWA2lQwR.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
1052	Do8fIJuEWA2lQwR.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000D40000-0x0000000000D57000-memory.dmp	upx
behavioral1/files/0x0008000000018f90-15.dat	upx
behavioral1/memory/2700-21-0x00000000003C0000-0x00000000003D7000-memory.dmp	upx
behavioral1/memory/2224-14-0x0000000000D40000-0x0000000000D57000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	Do8fIJuEWA2lQwR.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Do8fIJuEWA2lQwR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Do8fIJuEWA2lQwR.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
Token: SeDebugPrivilege	2700	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	Do8fIJuEWA2lQwR.exe
2868	Do8fIJuEWA2lQwR.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 1052	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2700	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2700	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2700	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2700	2224	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31
PID 1052 wrote to memory of 2868	1052	Do8fIJuEWA2lQwR.exe	31

C:\Users\Admin\AppData\Local\Temp\6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Do8fIJuEWA2lQwR.exe
  C:\Users\Admin\AppData\Local\Temp\Do8fIJuEWA2lQwR.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\jds259549736.tmp\Do8fIJuEWA2lQwR.exe
    "C:\Users\Admin\AppData\Local\Temp\jds259549736.tmp\Do8fIJuEWA2lQwR.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2868
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
86d1598ba5fb96ead0681d944967e6fb

SHA1
dd7768902ed4835c20765d5098dfdfb043564c11

SHA256
90d5b804bf0b983bf48a944749ffc4923d87eb3d16d58fbb99568d8f7ef87395

SHA512
97e97e733a6b011bcea24aa1007bc87998006f12369889cd7a1d43f9d78ce5c18e861d9cec1dd5cade69dc7a15a0bd972d3948fb3289f7d84176c4dc2b0711a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
c873699e8c46f9ad9998b5ab367d0251

SHA1
90d7e407c7f5bff120337b7873f0d648650436f4

SHA256
075f3d4e457fa2cc2cc00b1380dd3c2edcda2152943e5f3edac5b7c4bdc83f31

SHA512
eb283fc7d3f71c0df38775193b182c033a66922a0e3d63127dc9f5a2d1217421c8ccd34daeeb6ae8c27a406a6da2238d9ec373f41a272c26e8aad7316fa6734d

Download Submit
C:\Windows\CTS.exe

Filesize
28KB

MD5
e6150447c894ade7b2b9ee88d5933922

SHA1
dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1

SHA256
b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118

SHA512
d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

Download Submit
\Users\Admin\AppData\Local\Temp\Do8fIJuEWA2lQwR.exe

Filesize
1.8MB

MD5
544e07d620d3108b9b6aa3384d02dea5

SHA1
9897596f3c4ec39e38ef7f1081783db7693ae0b2

SHA256
a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8

SHA512
3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

Download Submit
\Users\Admin\AppData\Local\Temp\jds259549736.tmp\Do8fIJuEWA2lQwR.exe

Filesize
1.6MB

MD5
109cbe148f827137c3ba62261f01b29b

SHA1
2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12

SHA256
394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a

SHA512
a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

Download Submit
memory/2224-0-0x0000000000D40000-0x0000000000D57000-memory.dmp

Filesize
92KB

Download
memory/2224-14-0x0000000000D40000-0x0000000000D57000-memory.dmp

Filesize
92KB

Download
memory/2700-21-0x00000000003C0000-0x00000000003D7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads