3dd4845ed990d4a75d1b1251b9a15d4edd823c69bc49b1e94c91f982135a7073

General

Target

36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe
Size

30KB
MD5

36a684a4ef9a020e0ebf02f3aeb7c8e1
SHA1

1391c3f03c582d8afacdeb398590452ac87f1aab
SHA256

3dd4845ed990d4a75d1b1251b9a15d4edd823c69bc49b1e94c91f982135a7073
SHA512

812b51e3553fa450c5ece31475c56dcbe12d7511250089fc2cb42301c7618d4831bf85153c99d7ede831ddc18b82ee48361814cda69c66ee42f8fe3f6de87366
SSDEEP

768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEFGH:SKcR4mjD9r823F6

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4868	CTS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1764-0-0x00000000005B0000-0x00000000005C7000-memory.dmp	upx
behavioral2/files/0x0008000000023c9f-6.dat	upx
behavioral2/memory/4868-7-0x0000000000B50000-0x0000000000B67000-memory.dmp	upx
behavioral2/memory/1764-10-0x00000000005B0000-0x00000000005C7000-memory.dmp	upx
behavioral2/files/0x003e00000002350a-13.dat	upx
behavioral2/files/0x000a000000023c98-31.dat	upx
behavioral2/memory/4868-35-0x0000000000B50000-0x0000000000B67000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe
Token: SeDebugPrivilege	4868	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4868	1764	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe	82
PID 1764 wrote to memory of 4868	1764	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe	82
PID 1764 wrote to memory of 4868	1764	36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36a684a4ef9a020e0ebf02f3aeb7c8e1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
351KB

MD5
7b0abdc9433a5ef73d1a2d3bb6ac8da3

SHA1
67305771bb1db515b3b314e7cf5ca7c4372eec56

SHA256
54185d6f5c20ee929d3cfa3a5a4ee67ddd2b94e55a5aebf530c40123238a0abf

SHA512
79851244f08607f7dfd2a6e3e3c1532c7345b8593adde786a803c5ed02995bd8d825315a2abf6e29be77633d72ec397c3f029403707f99a3853c29879112600d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Amc3sBieAQmmvF.exe

Filesize
30KB

MD5
95b7109fac354ff07d4b04de53a9a14f

SHA1
b6bb1d119df64ddc4873abf503e87b6f1f8e2e79

SHA256
75f4e09a3cab15e1323573470cdf5540f12e7952664bec7a3fd4ceb40ac5e7ab

SHA512
770a9db9900872d75c94058c2bacaf64051b26e237c29190931369862b6b1938343c657d9ca69dc6e85a5a40ac9addc8a4149ae8542ca41614ed338fde0d5209

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/1764-0-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/1764-10-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/4868-7-0x0000000000B50000-0x0000000000B67000-memory.dmp

Filesize
92KB

Download
memory/4868-35-0x0000000000B50000-0x0000000000B67000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads