6e64dc33ca0319b60c0bc8485f5164a3abc5729eaeae1c53308a5a8bc22d9a31

General

Target

f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe
Size

702KB
MD5

f6c50648c94ad2459897b67f5deee158
SHA1

59855cc29ca3610e495f70f9a85faffe8f6a36c0
SHA256

6e64dc33ca0319b60c0bc8485f5164a3abc5729eaeae1c53308a5a8bc22d9a31
SHA512

a0102570a1f282e8b0f47d434867c2f05d0c1e868e2a4084e078daf6a58ee20bdc3fe33ac5a5447fc70cbc1f7ab6212060c223a0a78725f6da3fabe2c6a84e4e
SSDEEP

12288:hdi+Y/yKcq0AYjNuNWJ9EdymjXbMNiJ1BAwidzUDXXNOa1gMM:ho+eyKr0AguS98NXbQ8ridziXNOugH

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4572	F7mXApXjR4XixMw.exe
1580	CTS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3392-0-0x0000000000B70000-0x0000000000B87000-memory.dmp	upx
behavioral2/files/0x00090000000234ae-7.dat	upx
behavioral2/memory/1580-11-0x0000000000530000-0x0000000000547000-memory.dmp	upx
behavioral2/memory/3392-10-0x0000000000B70000-0x0000000000B87000-memory.dmp	upx
behavioral2/files/0x0009000000023417-14.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe
Token: SeDebugPrivilege	1580	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4572	3392	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe	82
PID 3392 wrote to memory of 4572	3392	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe	82
PID 3392 wrote to memory of 1580	3392	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe	83
PID 3392 wrote to memory of 1580	3392	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe	83
PID 3392 wrote to memory of 1580	3392	f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6c50648c94ad2459897b67f5deee158_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\F7mXApXjR4XixMw.exe
  C:\Users\Admin\AppData\Local\Temp\F7mXApXjR4XixMw.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
451KB

MD5
8edb0d18cc4e3f638cc41dd7a08c686d

SHA1
c16d94fd3ed260cc2d7e3b299fa9c4c4c0b5dc9b

SHA256
a8873946dddf9102a8772a11c22a7af891eb2b0b39aa798431f31de048193fd7

SHA512
166afe9b0f258b1b631a6e2b3c2459975cbb3a9c3db5510fb93ff97c4e43a5ce77f4795327e6b5391acc20a60dd682ebaefc3ad5df8d85c21b8831af9248e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7mXApXjR4XixMw.exe

Filesize
574KB

MD5
6503efe0a01c2d50c97be27f3cb10a43

SHA1
a0cb3708603a18f02352d01ec672020e5bad5073

SHA256
0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e

SHA512
ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

Download Submit
C:\Windows\CTS.exe

Filesize
128KB

MD5
3d5bd7aa0f0a572e3c088adb69217b87

SHA1
f425920d54e48beff4c85ae05ab69e6c11ea67a4

SHA256
810b1841a306b9acbb426b93c069c46bc485195c94f05db4fc727d5dcea35476

SHA512
15d969d5257aa8c3eb53708627784c3ee39b33c372a27c07a1951faffdb34e1816b60da12f2575d56dbc0e780daa7c86198a66b2fcf29c9ae916a2cb26b59bc5

Download Submit
memory/1580-11-0x0000000000530000-0x0000000000547000-memory.dmp

Filesize
92KB

Download
memory/3392-0-0x0000000000B70000-0x0000000000B87000-memory.dmp

Filesize
92KB

Download
memory/3392-10-0x0000000000B70000-0x0000000000B87000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads