Malware Analysis Report

2025-03-15 04:33

Sample ID 241027-1lzbna1jgp
Target 76166d37e7a3badba6d76ea34523387c_JaffaCakes118
SHA256 f39cfb5d0040702c8448b40ca09b0324a1061635fb9319b715a53272a25303d0
Tags
upx discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f39cfb5d0040702c8448b40ca09b0324a1061635fb9319b715a53272a25303d0

Threat Level: Shows suspicious behavior

The file 76166d37e7a3badba6d76ea34523387c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:44

Reported

2024-10-27 21:47

Platform

win7-20240903-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

N/A

Files

memory/1304-0-0x0000000000EF0000-0x0000000000F07000-memory.dmp

memory/1304-9-0x0000000000EF0000-0x0000000000F07000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/2312-11-0x0000000000970000-0x0000000000987000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WweL4JgRmqb5wYU.exe

MD5 ce588e92dce6e8c19473387839cce2cf
SHA1 f9ae16a3f4ffc693aa6ddccd45c0f40b6e5b90c6
SHA256 b25a763f95c610e123848bc2d176e3f9978be5d6583d8fba2a663e3180f9d92b
SHA512 a10a26e22ba7c0d7da7b9a95393e965dd5fdb5502f5aefb67a9ed07c50bf06c861a82569307002276443e5343ce2d161b438e9fb6d705ccdef81495f9ed37298

memory/2312-16-0x0000000000970000-0x0000000000987000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:44

Reported

2024-10-27 21:47

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe"

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4444-0-0x0000000000130000-0x0000000000147000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4444-10-0x0000000000130000-0x0000000000147000-memory.dmp

memory/3696-7-0x0000000000E90000-0x0000000000EA7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 baa5785dde87f0dd77bcf6d5ce76e7d5
SHA1 8a6f08dcb77b1ea00926bf0d55b780a5670fa9f2
SHA256 f8a1ed34e6138d46515186a93d9c1d4219339b42bf5d6f445122ed781734665f
SHA512 cfb2a544de2795312149222615db55f80be1d2a21c5326f1e302384585b2c4abd8adec8cafa41bee919cf73dcc3172640d42d31a8722758e55a7a80502b235e8

C:\Users\Admin\AppData\Local\Temp\4fSDn5kIWh0PXdO.exe

MD5 49975084a3c672676f32c31484719cae
SHA1 ca431b59243b38ebaec43f27dc09fbf47a182f65
SHA256 4b8550a25e8b08d7ac841e6c0f623dae107240c68c6a9cdb49f032b4677ed1de
SHA512 e7619d62b42c85718373f4a2347ef6449633023b435d055f983bdccf44be7ee942a5b49c1c5f122c40274611eb2c18838a957a15ad5a87151aba778bc7e12d4a

memory/3696-33-0x0000000000E90000-0x0000000000EA7000-memory.dmp