Analysis Overview
SHA256
f39cfb5d0040702c8448b40ca09b0324a1061635fb9319b715a53272a25303d0
Threat Level: Shows suspicious behavior
The file 76166d37e7a3badba6d76ea34523387c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:44
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:44
Reported
2024-10-27 21:47
Platform
win7-20240903-en
Max time kernel
141s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1304 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 1304 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 1304 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 1304 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
memory/1304-0-0x0000000000EF0000-0x0000000000F07000-memory.dmp
memory/1304-9-0x0000000000EF0000-0x0000000000F07000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 70aa23c9229741a9b52e5ce388a883ac |
| SHA1 | b42683e21e13de3f71db26635954d992ebe7119e |
| SHA256 | 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2 |
| SHA512 | be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5 |
memory/2312-11-0x0000000000970000-0x0000000000987000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WweL4JgRmqb5wYU.exe
| MD5 | ce588e92dce6e8c19473387839cce2cf |
| SHA1 | f9ae16a3f4ffc693aa6ddccd45c0f40b6e5b90c6 |
| SHA256 | b25a763f95c610e123848bc2d176e3f9978be5d6583d8fba2a663e3180f9d92b |
| SHA512 | a10a26e22ba7c0d7da7b9a95393e965dd5fdb5502f5aefb67a9ed07c50bf06c861a82569307002276443e5343ce2d161b438e9fb6d705ccdef81495f9ed37298 |
memory/2312-16-0x0000000000970000-0x0000000000987000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:44
Reported
2024-10-27 21:47
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 3696 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 4444 wrote to memory of 3696 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
| PID 4444 wrote to memory of 3696 | N/A | C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76166d37e7a3badba6d76ea34523387c_JaffaCakes118.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4444-0-0x0000000000130000-0x0000000000147000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 70aa23c9229741a9b52e5ce388a883ac |
| SHA1 | b42683e21e13de3f71db26635954d992ebe7119e |
| SHA256 | 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2 |
| SHA512 | be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5 |
memory/4444-10-0x0000000000130000-0x0000000000147000-memory.dmp
memory/3696-7-0x0000000000E90000-0x0000000000EA7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | baa5785dde87f0dd77bcf6d5ce76e7d5 |
| SHA1 | 8a6f08dcb77b1ea00926bf0d55b780a5670fa9f2 |
| SHA256 | f8a1ed34e6138d46515186a93d9c1d4219339b42bf5d6f445122ed781734665f |
| SHA512 | cfb2a544de2795312149222615db55f80be1d2a21c5326f1e302384585b2c4abd8adec8cafa41bee919cf73dcc3172640d42d31a8722758e55a7a80502b235e8 |
C:\Users\Admin\AppData\Local\Temp\4fSDn5kIWh0PXdO.exe
| MD5 | 49975084a3c672676f32c31484719cae |
| SHA1 | ca431b59243b38ebaec43f27dc09fbf47a182f65 |
| SHA256 | 4b8550a25e8b08d7ac841e6c0f623dae107240c68c6a9cdb49f032b4677ed1de |
| SHA512 | e7619d62b42c85718373f4a2347ef6449633023b435d055f983bdccf44be7ee942a5b49c1c5f122c40274611eb2c18838a957a15ad5a87151aba778bc7e12d4a |
memory/3696-33-0x0000000000E90000-0x0000000000EA7000-memory.dmp