Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 08:49

General

  • Target

    66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe

  • Size

    56KB

  • MD5

    66312bcc3e6c0623db30ef083f269538

  • SHA1

    c269e517f490059ae03ab5ce807a44e1d31cb5c3

  • SHA256

    ead1a58aeaa2195ea7d87cf2d6191b766bc0d5106f1d5307e3911625a626c884

  • SHA512

    8e958fc824e5559791adfc21c2417879e186fe59eb23f3c6de3334fa3aaf3fd8236a1e6c14281d4eaaff1e76e73eed1ebf309646ddceff8430744e3b0366c216

  • SSDEEP

    768:eyX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIo6yX3LKew369lp2z3Sd4baFXLjS:egKcR4mjD9r82RgKcR4mjD9r828

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

          Filesize

          379KB

          MD5

          a739ccac9f1a044074003e167e25c6ad

          SHA1

          a055742a3774e84b03837947474905c89e958e72

          SHA256

          591c0d8e21bfd394912dff2f1f77e8559e402197df99416a15371c640ce45d60

          SHA512

          1eef49bdea5314cf341df0c9e0ce5cfc75f6ea75c79fb7c802788d90413aa9ee281fbe55cfe0a408a8d852085db4b2a57e58463a16ef4532055a0dea92fc3f3d

        • C:\Users\Admin\AppData\Local\Temp\tAPQaXyllEVaBt5.exe

          Filesize

          56KB

          MD5

          c956347ae933d03eb4b1d2faa6d98607

          SHA1

          2173ad48ed5e7cb86cac7b9350584e4dc0436ad7

          SHA256

          c1fb1901ab77525660dfd6b9ba2f92f47903d19861420f5c68d8a230ebd40991

          SHA512

          5c110f74f181a22c185532d7ad877fb39abc08b0de23de17d90be242e483c2183e4f5dedb173133c6e287869e75369f4c9c85f35eb35bebb432804d09c14addc

        • C:\Windows\CTS.exe

          Filesize

          56KB

          MD5

          90e6eef4ded5d6508765975aa3b8ef70

          SHA1

          8e77aa2d6560963a4e69751074f75831ba9c436a

          SHA256

          856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493

          SHA512

          e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833

        • memory/2212-0-0x0000000000970000-0x0000000000987000-memory.dmp

          Filesize

          92KB

        • memory/2212-7-0x0000000000970000-0x0000000000987000-memory.dmp

          Filesize

          92KB

        • memory/3660-8-0x0000000000D20000-0x0000000000D37000-memory.dmp

          Filesize

          92KB

        • memory/3660-31-0x0000000000D20000-0x0000000000D37000-memory.dmp

          Filesize

          92KB