bf351490092b6f9c6594c5ff792a38872c262810ba9175ca9af8710f5d615dc3

General

Target

294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe
Size

1.8MB
MD5

294dafded4b0f097667490519c7b41ff
SHA1

d219bd2a013d6ad772d24d2fda887dc4ec0ff250
SHA256

bf351490092b6f9c6594c5ff792a38872c262810ba9175ca9af8710f5d615dc3
SHA512

73baa1cf8d8c5b24dbda2b7ce08c9fe9b3b39d5feee06bba2f0d69314d8e094caf3daeb6bf4314725925675c9ff082ebcc05956c3ce2d24dc32eb254379856be
SSDEEP

49152:SAFkt2qR4/yw7Uj2fhMeBn/1SyISsqiQLCqAmUMImc8xhgWl/GgfJh:tet8awwQhMa/3HsTQLCqRt3Vxh3h

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
876	ZCe6FGEu3hOCCQA.exe
2288	CTS.exe
2304	ZCe6FGEu3hOCCQA.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe
876	ZCe6FGEu3hOCCQA.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x00000000002F0000-0x0000000000307000-memory.dmp	upx
behavioral1/memory/2288-15-0x0000000000BA0000-0x0000000000BB7000-memory.dmp	upx
behavioral1/files/0x000f000000018ab4-14.dat	upx
behavioral1/memory/1972-12-0x00000000002F0000-0x0000000000307000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZCe6FGEu3hOCCQA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZCe6FGEu3hOCCQA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	ZCe6FGEu3hOCCQA.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ZCe6FGEu3hOCCQA.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ZCe6FGEu3hOCCQA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe
Token: SeDebugPrivilege	2288	CTS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	ZCe6FGEu3hOCCQA.exe
2304	ZCe6FGEu3hOCCQA.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 876	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2288	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2288	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2288	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	30
PID 1972 wrote to memory of 2288	1972	294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe	30
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31
PID 876 wrote to memory of 2304	876	ZCe6FGEu3hOCCQA.exe	31

C:\Users\Admin\AppData\Local\Temp\294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\294dafded4b0f097667490519c7b41ff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\ZCe6FGEu3hOCCQA.exe
  C:\Users\Admin\AppData\Local\Temp\ZCe6FGEu3hOCCQA.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\jds259525353.tmp\ZCe6FGEu3hOCCQA.exe
    "C:\Users\Admin\AppData\Local\Temp\jds259525353.tmp\ZCe6FGEu3hOCCQA.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2304
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
2c22baaa4217ff28655ca2f95647a909

SHA1
2032690c6e8c633d545283863aac42dbf308ebe5

SHA256
1cae4f5c1afc155339dd8af606f935164323ec0ad298ffea5b976d65398f1c7d

SHA512
9f8e90674de017022b1be3518942370a10ae32d8bedfb8fc86e0bfb8e706cf36596e980b9d06913135bcb6faa1bc7e8d292537b2d7d4c7d064f59fb691667c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
0b692be1c3bffe87da1cbdefb68c967a

SHA1
bbafa377be70a7da120f5b97f23c7bbced730512

SHA256
e86dadb46843e6ec43661c04b4a9879e8e1f472b14eaacb8abea67b91fa76f14

SHA512
7e00349af8a2e36ed24b95fc7e7abe89e677a03e758b5b2fefdd224efa0c1e687ee30a817170d03d6bb476f37b0a5362a374753596126eec7f46d0bf02f93167

Download Submit
C:\Windows\CTS.exe

Filesize
28KB

MD5
e6150447c894ade7b2b9ee88d5933922

SHA1
dc62f7f9ff1a492adadbc8b6321c0b7b9cd973d1

SHA256
b612d46644d0e4a3829c4d6715f71d979103aa487624805363b36f5b4f92b118

SHA512
d6db2b459723005662a646357bd60ab6e5cf77ab4f83868c91e725e45c32b44900c32724883df6aa4a0e85cbf7441bea159334f3080cfe8e7acec540aa996ff0

Download Submit
\Users\Admin\AppData\Local\Temp\ZCe6FGEu3hOCCQA.exe

Filesize
1.8MB

MD5
544e07d620d3108b9b6aa3384d02dea5

SHA1
9897596f3c4ec39e38ef7f1081783db7693ae0b2

SHA256
a8fb1a1473831ac6feb092afd2cbdded2d6a881d3576158fabd89090050b52f8

SHA512
3663b9c056447c4491635b5bdcbc6e1a2b67a432b41bab6f479da5c787c48f1067cecafdfb6d9763f9b17b553aa953ae87068ba7f0c1c93facf34db7ac53a64c

Download Submit
\Users\Admin\AppData\Local\Temp\jds259525353.tmp\ZCe6FGEu3hOCCQA.exe

Filesize
1.6MB

MD5
109cbe148f827137c3ba62261f01b29b

SHA1
2cc02b09da46d9e5d0ac1b306a0bbcc12bfe4c12

SHA256
394ad6212e4866cc8e6d1834df8f70538dddf09d23dfa65ea204b22c012b541a

SHA512
a2dfa03dd290540bcfeda6cfd7d6ed891700742b4323d8c8dbfc4c822386ef1ddfff5cf71b2e5d7be9ec72fb6fc2145ff6ffc440823187d6956d5aa2794c5799

Download Submit
memory/1972-0-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/1972-12-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/2288-15-0x0000000000BA0000-0x0000000000BB7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads