4067832ad317c5facc0df7865c206fecd7634eba6a093126531bb40d56684642

General

Target

0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe
Size

334KB
MD5

0863a5328d820d4986eda590e11c962b
SHA1

dc6ddd94b34c594b6dfd730d1bf858aafe641877
SHA256

4067832ad317c5facc0df7865c206fecd7634eba6a093126531bb40d56684642
SHA512

28125bf57b1937e82ebff47fdfea64fc05bde925e3c7604bea8263f58da2f20bf7b4a4059cefe5e66b6d69604772b25e6cdc4b5aed4c21d0f08de3eba41d96ab
SSDEEP

6144:AZvMGDCR4/6cSDCXfJl255cZdanRt3x8u:AdMuCR4/dpfC5aZdqh8u

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4612	fJQR37Ondeg15rC.exe
4880	CTS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3608-0-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral2/files/0x0008000000023464-7.dat	upx
behavioral2/memory/4880-10-0x0000000000FE0000-0x0000000000FF7000-memory.dmp	upx
behavioral2/memory/3608-9-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral2/files/0x0007000000023381-13.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe
Token: SeDebugPrivilege	4880	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 4612	3608	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe	82
PID 3608 wrote to memory of 4612	3608	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe	82
PID 3608 wrote to memory of 4880	3608	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe	83
PID 3608 wrote to memory of 4880	3608	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe	83
PID 3608 wrote to memory of 4880	3608	0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0863a5328d820d4986eda590e11c962b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\fJQR37Ondeg15rC.exe
  C:\Users\Admin\AppData\Local\Temp\fJQR37Ondeg15rC.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
438KB

MD5
17059cae48fc6eed816c5e439a96a7b1

SHA1
477e8e8d5eb88c75e1625f16b4c23a61a8cc2327

SHA256
b34fe5c038540730c6a4d629060de1ce87adde2444a024f784e08a4df7c35596

SHA512
6f7913de684d429b153ff7d0026c668fe397e80ba6e1ec59865cf7fa173524ab20f70b4359a13f0d2fb181d14de96f488e4903bba4e264d452063ce78e43f00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fJQR37Ondeg15rC.exe

Filesize
217KB

MD5
f8a38fd27da720881c0af1ac99b8c1ad

SHA1
2ed31938119e2ebdeb0f5539c985e9965aef72d7

SHA256
b2e32b3fa44b3a9a8fdfa906627355f6f48b4821929f9bce5ded2d07894361d4

SHA512
aafa05bc5bd68687b998fe4d9a619caecc65d14f317af7a05ac0ecab7e231891e8719029245dc84eddce20bdd4c0cc6f4ffafdf8200227746b28cc6628564495

Download Submit
C:\Windows\CTS.exe

Filesize
117KB

MD5
90560322e00c64a66ef2099f55ff1f09

SHA1
1404109a21e4656daa9dc570c32e6385b6634344

SHA256
69346cf100b44fce4b64c433efc47601922b255c5d4182f4ecf1fcff1ca05bf4

SHA512
164e6e7654b55727940b212d56df47043f11e612b04cdfbc4c33ad455bbb5b1cece3882acc944cd526f3c5dcd519bcd1d01a3d796e95902bfc680f51dfe74f61

Download Submit
memory/3608-0-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/3608-9-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/4880-10-0x0000000000FE0000-0x0000000000FF7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads