5b327c541d95c2828a5509a381d20e9de69ab3da3e13d247dc6c3a941411aee3

General

Target

8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe
Size

3.4MB
MD5

8d3faa99b533520fb516b86d2aa4a7df
SHA1

2cd0c04f4b3b8297e6b6d9e25498aa47d1f4fd02
SHA256

5b327c541d95c2828a5509a381d20e9de69ab3da3e13d247dc6c3a941411aee3
SHA512

cd551eaf3d98e5f797b2225854eff2368b8c6f3e539036c5a37b2acb04cee7714c5b68590575261370f8ac64c79151ba98543b8cc9193237d30b1d79c6deb71b
SSDEEP

24576:PoH9mrnEQIh3Qh3OTZriEu8CkB06lVYtjbTpmWFb5DBk:PoFQC6mZq8J2OVijbTpTdO

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3672	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1924-0-0x0000000000440000-0x00000000007D5000-memory.dmp	upx
behavioral2/files/0x0008000000023461-6.dat	upx
behavioral2/memory/1924-9-0x0000000000440000-0x00000000007D5000-memory.dmp	upx
behavioral2/memory/3672-10-0x0000000000490000-0x0000000000825000-memory.dmp	upx
behavioral2/files/0x0009000000023371-13.dat	upx
behavioral2/files/0x0009000000023404-30.dat	upx
behavioral2/memory/3672-35-0x0000000000490000-0x0000000000825000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe
Token: SeDebugPrivilege	3672	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3672	1924	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe	84
PID 1924 wrote to memory of 3672	1924	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe	84
PID 1924 wrote to memory of 3672	1924	8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d3faa99b533520fb516b86d2aa4a7df_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
3.8MB

MD5
7ef200bf2b216f45822a25387d23689a

SHA1
2fa321d415fba8a2fbeb8a92deba72ac43993095

SHA256
189968d61049bb04f6048f5a2f66cde506c66d3bdaea5e3e97f75af23f3d8680

SHA512
52865fbe7f423384b9d9fb808ce225c3cbbc44e012abf4c0954cfba31ee2e5bdfd624441b1a2d13243532c75f857d311b3596e5792a2bb51e605d5d363c7364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFJxj96uGRo7AKQ.exe

Filesize
3.4MB

MD5
d6c0d46e7797ed375baa150f334a8169

SHA1
ba4faccb6510f0cabc1175506e9e389ab96022d9

SHA256
cf0b1fdbd48e71f7fd38dd30dfd09dbf2858164e1a8afe8d0ae6e2edccbe6384

SHA512
63be9a808eceb6117c07dc5c38183b81c103448c45983e04202535a35450921e74a579ccfec30b6db34b2155935bb06e8b1ca9c8e46e0ce77cc0ed280a24365b

Download Submit
C:\Windows\CTS.exe

Filesize
3.4MB

MD5
950ad7a4202239f1642ffec873b254bc

SHA1
12c877a3bd0e6f5c77c40f41e98b41b54c695165

SHA256
dc5d5bda6e3e2df827356ac62c5dd77cd0e5e4a228372cbd530da0dc8ba3be9f

SHA512
0ce5544de274d393f1b8c2a8ec26c3c32b1b099d8984b312eb3c96b607f211e3bb58199979b9448c95b2c3764fbe1506ca7daa3dadee7d95220d0093f2682d44

Download Submit
memory/1924-0-0x0000000000440000-0x00000000007D5000-memory.dmp

Filesize
3.6MB

Download
memory/1924-9-0x0000000000440000-0x00000000007D5000-memory.dmp

Filesize
3.6MB

Download
memory/1924-8-0x0000000000440000-0x00000000007D5000-memory.dmp

Filesize
3.6MB

Download
memory/3672-10-0x0000000000490000-0x0000000000825000-memory.dmp

Filesize
3.6MB

Download
memory/3672-35-0x0000000000490000-0x0000000000825000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads