a22e1bea80dcc2286e732375259da9da76cf534fdb995714e64506340fd8e7d3

General

Target

0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe
Size

44KB
MD5

0bb6731f5da64a06d1415a4cc85fce93
SHA1

62f1d2bb1af71ca01c960718f2c2a256b30cfbee
SHA256

a22e1bea80dcc2286e732375259da9da76cf534fdb995714e64506340fd8e7d3
SHA512

f75c27de029201ed3e3055b46d63fd775f2e0323f44e5c79b55db55eb58fb1ed4bbe2a91f6b38f51bddc87e6329c8dfafa58ba8d3da8f2a17c19e78dd4687aec
SSDEEP

768:eyX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIo4ZIjM6ycQNetT3bUun9xIy/T:egKcR4mjD9r82RqArNS3gGIA

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3600	CTS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3672-0-0x0000000000F40000-0x0000000000F57000-memory.dmp	upx
behavioral2/files/0x00070000000234df-6.dat	upx
behavioral2/memory/3600-7-0x0000000000010000-0x0000000000027000-memory.dmp	upx
behavioral2/memory/3672-10-0x0000000000F40000-0x0000000000F57000-memory.dmp	upx
behavioral2/files/0x0007000000023365-13.dat	upx
behavioral2/files/0x00080000000234db-31.dat	upx
behavioral2/memory/3600-35-0x0000000000010000-0x0000000000027000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe
Token: SeDebugPrivilege	3600	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 3600	3672	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe	82
PID 3672 wrote to memory of 3600	3672	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe	82
PID 3672 wrote to memory of 3600	3672	0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bb6731f5da64a06d1415a4cc85fce93_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
349KB

MD5
28e320fdfb1a4391e3130a9ef957db1b

SHA1
aba1bb4f42ef6a4a4139668c0914a65a8b13e38b

SHA256
af050146382cf4f62486690f781eafb4b8db93524dbf62db64a8468cf4c5c281

SHA512
1690fa281fafc66620dde8d2362e6eaf0078885c282afa0a63f0baf590fe354e875cb99b64727230ee9482ab66bde61938415213f79f640bdab21a150b058861

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwctRnhdb1ISE7J.exe

Filesize
44KB

MD5
c6a8239f8c4cbcb262ab3f0633aacbe9

SHA1
463a1d93491398be2aef46248c240fc6c1886016

SHA256
d06e6e9c69644bed412b66117f27c7e4cf09fa08e712602839fc7ac967d2d194

SHA512
448802e7893ecd485eba2a10beea809b8d21172e6afb555b0096442f2d0c50254cae1c5659745a4751f66d0984dd572c5258623cc8b8e73b340e146f2a3e472a

Download Submit
C:\Windows\CTS.exe

Filesize
28KB

MD5
e6150447c894ade7b2b9ee88d5933922

SHA1
dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1

SHA256
b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118

SHA512
d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

Download Submit
memory/3600-7-0x0000000000010000-0x0000000000027000-memory.dmp

Filesize
92KB

Download
memory/3600-35-0x0000000000010000-0x0000000000027000-memory.dmp

Filesize
92KB

Download
memory/3672-0-0x0000000000F40000-0x0000000000F57000-memory.dmp

Filesize
92KB

Download
memory/3672-10-0x0000000000F40000-0x0000000000F57000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads