Analysis Overview
SHA256
ead1a58aeaa2195ea7d87cf2d6191b766bc0d5106f1d5307e3911625a626c884
Threat Level: Shows suspicious behavior
The file 66312bcc3e6c0623db30ef083f269538_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 08:49
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 08:49
Reported
2024-10-21 08:51
Platform
win7-20240903-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2688 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2688 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2688 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2688 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/2688-0-0x0000000000930000-0x0000000000947000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 90e6eef4ded5d6508765975aa3b8ef70 |
| SHA1 | 8e77aa2d6560963a4e69751074f75831ba9c436a |
| SHA256 | 856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493 |
| SHA512 | e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833 |
memory/2748-11-0x0000000001330000-0x0000000001347000-memory.dmp
memory/2688-9-0x0000000000930000-0x0000000000947000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ub26NtpgayAqTiR.exe
| MD5 | 56a03d95c1f047dbb64cf6bdeb931d4e |
| SHA1 | 769ab6ff3a4006814469964664c6422f88dfed54 |
| SHA256 | a8237a9f16af81d6b21ee7b585db306bc1b939025653d21842c2ab20f68332d0 |
| SHA512 | d752aeeb12a302d0f2faf4261fc7180389d520586090ae9d27834ca44296be5c746843f9c5364c117652c30e887e5a0e4ac254f63475e807566acd5a7921c259 |
memory/2748-16-0x0000000001330000-0x0000000001347000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 08:49
Reported
2024-10-21 08:51
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2212 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 2212 wrote to memory of 3660 | N/A | C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66312bcc3e6c0623db30ef083f269538_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2212-0-0x0000000000970000-0x0000000000987000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 90e6eef4ded5d6508765975aa3b8ef70 |
| SHA1 | 8e77aa2d6560963a4e69751074f75831ba9c436a |
| SHA256 | 856cc5ad108ebb8fe06eee8ccc40cda879b1aa8f84ec4a2308f57a63488b3493 |
| SHA512 | e9c8df23ddade81d2ef5e04217cea0089bdc9462607d95a4743601a5c115d5e2713e21e1f031596022e9a75ed921b7f95021aca49859f194e5104269566d3833 |
memory/3660-8-0x0000000000D20000-0x0000000000D37000-memory.dmp
memory/2212-7-0x0000000000970000-0x0000000000987000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | a739ccac9f1a044074003e167e25c6ad |
| SHA1 | a055742a3774e84b03837947474905c89e958e72 |
| SHA256 | 591c0d8e21bfd394912dff2f1f77e8559e402197df99416a15371c640ce45d60 |
| SHA512 | 1eef49bdea5314cf341df0c9e0ce5cfc75f6ea75c79fb7c802788d90413aa9ee281fbe55cfe0a408a8d852085db4b2a57e58463a16ef4532055a0dea92fc3f3d |
C:\Users\Admin\AppData\Local\Temp\tAPQaXyllEVaBt5.exe
| MD5 | c956347ae933d03eb4b1d2faa6d98607 |
| SHA1 | 2173ad48ed5e7cb86cac7b9350584e4dc0436ad7 |
| SHA256 | c1fb1901ab77525660dfd6b9ba2f92f47903d19861420f5c68d8a230ebd40991 |
| SHA512 | 5c110f74f181a22c185532d7ad877fb39abc08b0de23de17d90be242e483c2183e4f5dedb173133c6e287869e75369f4c9c85f35eb35bebb432804d09c14addc |
memory/3660-31-0x0000000000D20000-0x0000000000D37000-memory.dmp