Malware Analysis Report

2025-08-11 01:16

Sample ID 241021-kq8g5axcrb
Target 66312bcc3e6c0623db30ef083f269538_JaffaCakes118
SHA256 ead1a58aeaa2195ea7d87cf2d6191b766bc0d5106f1d5307e3911625a626c884
Tags
upx discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ead1a58aeaa2195ea7d87cf2d6191b766bc0d5106f1d5307e3911625a626c884

Threat Level: Shows suspicious behavior

The file 66312bcc3e6c0623db30ef083f269538_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 08:49

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 08:49

Reported

2024-10-21 08:51

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/2688-0-0x0000000000930000-0x0000000000947000-memory.dmp

C:\Windows\CTS.exe

MD5 90e6eef4ded5d6508765975aa3b8ef70
SHA1 8e77aa2d6560963a4e69751074f75831ba9c436a
SHA256 856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493
SHA512 e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833

memory/2748-11-0x0000000001330000-0x0000000001347000-memory.dmp

memory/2688-9-0x0000000000930000-0x0000000000947000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ub26NtpgayAqTiR.exe

MD5 56a03d95c1f047dbb64cf6bdeb931d4e
SHA1 769ab6ff3a4006814469964664c6422f88dfed54
SHA256 a8237a9f16af81d6b21ee7b585db306bc1b939025653d21842c2ab20f68332d0
SHA512 d752aeeb12a302d0f2faf4261fc7180389d520586090ae9d27834ca44296be5c746843f9c5364c117652c30e887e5a0e4ac254f63475e807566acd5a7921c259

memory/2748-16-0x0000000001330000-0x0000000001347000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 08:49

Reported

2024-10-21 08:51

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2212-0-0x0000000000970000-0x0000000000987000-memory.dmp

C:\Windows\CTS.exe

MD5 90e6eef4ded5d6508765975aa3b8ef70
SHA1 8e77aa2d6560963a4e69751074f75831ba9c436a
SHA256 856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493
SHA512 e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833

memory/3660-8-0x0000000000D20000-0x0000000000D37000-memory.dmp

memory/2212-7-0x0000000000970000-0x0000000000987000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a739ccac9f1a044074003e167e25c6ad
SHA1 a055742a3774e84b03837947474905c89e958e72
SHA256 591c0d8e21bfd394912dff2f1f77e8559e402197df99416a15371c640ce45d60
SHA512 1eef49bdea5314cf341df0c9e0ce5cfc75f6ea75c79fb7c802788d90413aa9ee281fbe55cfe0a408a8d852085db4b2a57e58463a16ef4532055a0dea92fc3f3d

C:\Users\Admin\AppData\Local\Temp\tAPQaXyllEVaBt5.exe

MD5 c956347ae933d03eb4b1d2faa6d98607
SHA1 2173ad48ed5e7cb86cac7b9350584e4dc0436ad7
SHA256 c1fb1901ab77525660dfd6b9ba2f92f47903d19861420f5c68d8a230ebd40991
SHA512 5c110f74f181a22c185532d7ad877fb39abc08b0de23de17d90be242e483c2183e4f5dedb173133c6e287869e75369f4c9c85f35eb35bebb432804d09c14addc

memory/3660-31-0x0000000000D20000-0x0000000000D37000-memory.dmp