Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 08:49

General

  • Target

    66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe

  • Size

    56KB

  • MD5

    66312bcc3e6c0623db30ef083f269538

  • SHA1

    c269e517f490059ae03ab5ce807a44e1d31cb5c3

  • SHA256

    ead1a58aeaa2195ea7d87cf2d6191b766bc0d5106f1d5307e3911625a626c884

  • SHA512

    8e958fc824e5559791adfc21c2417879e186fe59eb23f3c6de3334fa3aaf3fd8236a1e6c14281d4eaaff1e76e73eed1ebf309646ddceff8430744e3b0366c216

  • SSDEEP

    768:eyX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIo6yX3LKew369lp2z3Sd4baFXLjS:egKcR4mjD9r82RgKcR4mjD9r828

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2748

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ub26NtpgayAqTiR.exe

          Filesize

          56KB

          MD5

          56a03d95c1f047dbb64cf6bdeb931d4e

          SHA1

          769ab6ff3a4006814469964664c6422f88dfed54

          SHA256

          a8237a9f16af81d6b21ee7b585db306bc1b939025653d21842c2ab20f68332d0

          SHA512

          d752aeeb12a302d0f2faf4261fc7180389d520586090ae9d27834ca44296be5c746843f9c5364c117652c30e887e5a0e4ac254f63475e807566acd5a7921c259

        • C:\Windows\CTS.exe

          Filesize

          56KB

          MD5

          90e6eef4ded5d6508765975aa3b8ef70

          SHA1

          8e77aa2d6560963a4e69751074f75831ba9c436a

          SHA256

          856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493

          SHA512

          e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833

        • memory/2688-0-0x0000000000930000-0x0000000000947000-memory.dmp

          Filesize

          92KB

        • memory/2688-9-0x0000000000930000-0x0000000000947000-memory.dmp

          Filesize

          92KB

        • memory/2748-11-0x0000000001330000-0x0000000001347000-memory.dmp

          Filesize

          92KB

        • memory/2748-16-0x0000000001330000-0x0000000001347000-memory.dmp

          Filesize

          92KB