966aca0c911a114a970bd05a207a6421b463315c0916f6a5b87141c4c7252084

General

Target

6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
Size

1.8MB
MD5

6319fba403cf5d1554fa4f344c2af221
SHA1

da5b2d0c75b6e4010d03b467a513203b854972dd
SHA256

966aca0c911a114a970bd05a207a6421b463315c0916f6a5b87141c4c7252084
SHA512

9cf13647dcb9b7200e87fbffb0a130f65abb768a62f336465c157834eab54a5e906882b6f2e53c01859c6c7c35873e0e135cc2f55da18e585b788d39a1c8096f
SSDEEP

49152:SGeqHcpUcmELGROOG4Adl2Dbs7Q5I8RZvI2C+:DexpUFMGQOGZn2yKBRF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4716	VRXb4m9OVXj7I2P.exe
4736	CTS.exe
4976	VRXb4m9OVXj7I2P.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2444-0-0x0000000000060000-0x0000000000077000-memory.dmp	upx
behavioral2/files/0x0008000000023483-6.dat	upx
behavioral2/memory/2444-8-0x0000000000060000-0x0000000000077000-memory.dmp	upx
behavioral2/memory/4736-14-0x00000000005F0000-0x0000000000607000-memory.dmp	upx
behavioral2/files/0x0002000000022940-23.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
Token: SeDebugPrivilege	4736	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4976	VRXb4m9OVXj7I2P.exe
4976	VRXb4m9OVXj7I2P.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4716	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	84
PID 2444 wrote to memory of 4716	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	84
PID 2444 wrote to memory of 4716	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	84
PID 2444 wrote to memory of 4736	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	85
PID 2444 wrote to memory of 4736	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	85
PID 2444 wrote to memory of 4736	2444	6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe	85
PID 4716 wrote to memory of 4976	4716	VRXb4m9OVXj7I2P.exe	86
PID 4716 wrote to memory of 4976	4716	VRXb4m9OVXj7I2P.exe	86
PID 4716 wrote to memory of 4976	4716	VRXb4m9OVXj7I2P.exe	86

C:\Users\Admin\AppData\Local\Temp\6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6319fba403cf5d1554fa4f344c2af221_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\VRXb4m9OVXj7I2P.exe
  C:\Users\Admin\AppData\Local\Temp\VRXb4m9OVXj7I2P.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\jds240619296.tmp\VRXb4m9OVXj7I2P.exe
    "C:\Users\Admin\AppData\Local\Temp\jds240619296.tmp\VRXb4m9OVXj7I2P.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4976
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
349KB

MD5
7e8254102e8f7b4b268b5629805c489f

SHA1
806053637f126a381990858a3e12817f8065d972

SHA256
e7744c8f569534bc9e853d8a6bb1c0a11b1a90a1755fbd0412fb949976a86d3c

SHA512
2b68ee00e7a69aaaf0d10f819eeebf09fdfc2524bc93c09ab85ab45f6a75e3270df485a2a387cb5c8bd1467d0a8d87234e0e80cbf9c2d4d4edd766b339b9fad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VRXb4m9OVXj7I2P.exe

Filesize
1.8MB

MD5
544e07d620d3108b9b6aa3384d02dea5

SHA1
9897596f3c4ec39e38ef7f1081783db7693ae0b2

SHA256
a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8

SHA512
3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240619296.tmp\VRXb4m9OVXj7I2P.exe

Filesize
1.6MB

MD5
109cbe148f827137c3ba62261f01b29b

SHA1
2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12

SHA256
394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a

SHA512
a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
0432ba74df5734cf5e3bfb7025b95d77

SHA1
787a092f11c808e1c9c2a6dbd0d0e2601ac44fde

SHA256
817c88d4b21f2110c53f9cf1095fb75fe31eab7d4a495a063c8c3629dc9a3bba

SHA512
06358684e774902fa2c04dcb97ed8ca347d3c81ab6c0c6eeb4144c66b00a247078010bb119a59ebcfbac6d9af4b1282b9cb8dc18c75b156b67793f96f717fc3f

Download Submit
C:\Windows\CTS.exe

Filesize
28KB

MD5
e6150447c894ade7b2b9ee88d5933922

SHA1
dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1

SHA256
b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118

SHA512
d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

Download Submit
memory/2444-0-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/2444-8-0x0000000000060000-0x0000000000077000-memory.dmp

Filesize
92KB

Download
memory/4736-14-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads