ed9cb7fd0ba63a5f72bb3c1bddaa14ce899b5a73fac92cea0e86b78a7b5ccad6

General

Target

3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe
Size

42KB
MD5

3bd8254ca92d99743eea90062b470ff2
SHA1

cd224765492d462a1903414f5e5a9cfaa930f056
SHA256

ed9cb7fd0ba63a5f72bb3c1bddaa14ce899b5a73fac92cea0e86b78a7b5ccad6
SHA512

ff800a3c6baa1c818e2df041827b62c4006928bf2b93f6af5ca05bb3f1a056d67c012f3c9d0bef61175fb8d373566c550e4a0272daa2e95f88631ab269509059
SSDEEP

768:XocAX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIocVSEF20PiYHWXP84yocQlTZR:SKcR4mjD9r823F2c9yPQQh8YZ

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4776	CTS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-0-0x0000000000860000-0x0000000000877000-memory.dmp	upx
behavioral2/files/0x000b000000023b99-6.dat	upx
behavioral2/memory/4776-7-0x0000000000490000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/1396-10-0x0000000000860000-0x0000000000877000-memory.dmp	upx
behavioral2/files/0x000f0000000239ce-13.dat	upx
behavioral2/files/0x000c000000023b37-31.dat	upx
behavioral2/memory/4776-33-0x0000000000490000-0x00000000004A7000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe
Token: SeDebugPrivilege	4776	CTS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4776	1396	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe	84
PID 1396 wrote to memory of 4776	1396	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe	84
PID 1396 wrote to memory of 4776	1396	3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bd8254ca92d99743eea90062b470ff2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4776

Network

DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

66.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

66.209.201.84.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

66.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

66.209.201.84.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
351KB

MD5
87793a4088ae175614ea14bc0864cc41

SHA1
d3811b24186366177b79dedf11b9755aca204358

SHA256
e4bf13adb0e7f5295f813a2d6b51bb2e8591d4927f18935ba79f762cfcbe26d0

SHA512
4b29290198e06d0c84844e342d757c8f482dd5c39371d36fcfb6e5032534022747a06b0f1e65e62704b1fd0d80950d5ef0296ac7b2a566b3acf3c957ec7bad14

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAenbcGwchC270y.exe

Filesize
42KB

MD5
e8d8d4ecd8ad2c6fcf829f4791a99efb

SHA1
7682d1e7667d68832a1cc8b5fe3917c40e69b8e4

SHA256
1ac9dc775625c340c883f160e9651f3e8c147a7cdeacd661b353860dd607150f

SHA512
31642f514a161d2832887921c711149386ba1d12e2554031bc16418841b29121b8b8f0790270cb6254ff2191b7da4a78d2e4519884197caa7b0de66b4ba14620

Download Submit
C:\Windows\CTS.exe

Filesize
29KB

MD5
70aa23c9229741a9b52e5ce388a883ac

SHA1
b42683e21e13de3f71db26635954d992ebe7119e

SHA256
9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

SHA512
be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

Download Submit
memory/1396-0-0x0000000000860000-0x0000000000877000-memory.dmp

Filesize
92KB

Download
memory/1396-10-0x0000000000860000-0x0000000000877000-memory.dmp

Filesize
92KB

Download
memory/4776-7-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/4776-33-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.