Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 08:49
Behavioral task
behavioral1
Sample
66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
-
Size
56KB
-
MD5
66312bcc3e6c0623db30ef083f269538
-
SHA1
c269e517f490059ae03ab5ce807a44e1d31cb5c3
-
SHA256
ead1a58aeaa2195ea7d87cf2d6191b766bc0d5106f1d5307e3911625a626c884
-
SHA512
8e958fc824e5559791adfc21c2417879e186fe59eb23f3c6de3334fa3aaf3fd8236a1e6c14281d4eaaff1e76e73eed1ebf309646ddceff8430744e3b0366c216
-
SSDEEP
768:eyX3LKew369lp2z3Sd4baFXLjwP/Tgj93b8NIo6yX3LKew369lp2z3Sd4baFXLjS:egKcR4mjD9r82RgKcR4mjD9r828
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3660 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
resource yara_rule behavioral2/memory/2212-0-0x0000000000970000-0x0000000000987000-memory.dmp upx behavioral2/files/0x000c000000023b4f-5.dat upx behavioral2/memory/3660-8-0x0000000000D20000-0x0000000000D37000-memory.dmp upx behavioral2/memory/2212-7-0x0000000000970000-0x0000000000987000-memory.dmp upx behavioral2/files/0x005500000002326f-12.dat upx behavioral2/files/0x000c000000023af0-29.dat upx behavioral2/memory/3660-31-0x0000000000D20000-0x0000000000D37000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2212 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe Token: SeDebugPrivilege 3660 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2212 wrote to memory of 3660 2212 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe 84 PID 2212 wrote to memory of 3660 2212 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe 84 PID 2212 wrote to memory of 3660 2212 66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD5a739ccac9f1a044074003e167e25c6ad
SHA1a055742a3774e84b03837947474905c89e958e72
SHA256591c0d8e21bfd394912dff2f1f77e8559e402197df99416a15371c640ce45d60
SHA5121eef49bdea5314cf341df0c9e0ce5cfc75f6ea75c79fb7c802788d90413aa9ee281fbe55cfe0a408a8d852085db4b2a57e58463a16ef4532055a0dea92fc3f3d
-
Filesize
56KB
MD5c956347ae933d03eb4b1d2faa6d98607
SHA12173ad48ed5e7cb86cac7b9350584e4dc0436ad7
SHA256c1fb1901ab77525660dfd6b9ba2f92f47903d19861420f5c68d8a230ebd40991
SHA5125c110f74f181a22c185532d7ad877fb39abc08b0de23de17d90be242e483c2183e4f5dedb173133c6e287869e75369f4c9c85f35eb35bebb432804d09c14addc
-
Filesize
56KB
MD590e6eef4ded5d6508765975aa3b8ef70
SHA18e77aa2d6560963a4e69751074f75831ba9c436a
SHA256856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493
SHA512e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833