Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:23
Behavioral task
behavioral1
Sample
JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe
Resource
win10v2004-20250610-en
General
-
Target
JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe
-
Size
318KB
-
MD5
1c79c7b80046edfd2f9aa34d8cc5e3ac
-
SHA1
aa96ff1a8d21279e95b818305c98c3ce737322c6
-
SHA256
b25e78b7a0a2d6a2c1b05b124af2ab7b3b1cf3069ec34a776c0f6258629285c0
-
SHA512
ceabf507da727034cedb603e348d06f2a1e1d4e41fcde7399210b549cc348156bb0c558e4f3a0497edb77729a2f8df733bedac6a2c721cbe5f5db7a4b049c19e
-
SSDEEP
6144:hGGodWX6+PAw56Wqe+WPF4ByS+Iw7joBBpi0SROTHEchvgNAQ3crI:hiU6+PA+jQ+Iw7jsBMO4ch4ND3cE
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 636 lV6i3HwaqVh0Lwv.exe 1176 CTS.exe 3752 CTS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
resource yara_rule behavioral1/memory/4044-0-0x0000000000830000-0x0000000000847000-memory.dmp upx behavioral1/memory/1176-9-0x0000000000A30000-0x0000000000A47000-memory.dmp upx behavioral1/files/0x0007000000024277-8.dat upx behavioral1/memory/4044-11-0x0000000000830000-0x0000000000847000-memory.dmp upx behavioral1/files/0x0005000000021594-14.dat upx behavioral1/memory/3752-28-0x0000000000A30000-0x0000000000A47000-memory.dmp upx behavioral1/memory/3752-32-0x0000000000A30000-0x0000000000A47000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CTS.exe JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe CTS.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTS.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command lV6i3HwaqVh0Lwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell lV6i3HwaqVh0Lwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open lV6i3HwaqVh0Lwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LV6I3H~1.EXE \"%1\"" lV6i3HwaqVh0Lwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF lV6i3HwaqVh0Lwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" lV6i3HwaqVh0Lwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph lV6i3HwaqVh0Lwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" lV6i3HwaqVh0Lwv.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4044 JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe Token: SeDebugPrivilege 1176 CTS.exe Token: SeDebugPrivilege 3752 CTS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 636 lV6i3HwaqVh0Lwv.exe 636 lV6i3HwaqVh0Lwv.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4044 wrote to memory of 636 4044 JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe 86 PID 4044 wrote to memory of 636 4044 JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe 86 PID 4044 wrote to memory of 1176 4044 JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe 88 PID 4044 wrote to memory of 1176 4044 JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe 88 PID 4044 wrote to memory of 1176 4044 JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe 88 PID 1168 wrote to memory of 3752 1168 cmd.exe 90 PID 1168 wrote to memory of 3752 1168 cmd.exe 90 PID 1168 wrote to memory of 3752 1168 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exeC:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\CTS.exeC:\Windows\CTS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD53f8b4a5fd89c36689cc8881b45b07657
SHA1a9cf3cfef6c0e8fba838ce1a87b5931d703e7438
SHA25623fde330196234a26df9bb95e1f3b308947809945e67ed3099ba1b55ff46c15c
SHA5121d69515aad2cae5ce39d56c76ca04b93cdb20726ed6e9a5cbbfa5b43455b62026bed65d6cb955dbd5f47f9f352267ef191d62d4392349ac64f4e568a8037f723
-
Filesize
288KB
MD5880e155f8f47fb0db7b2080e71d59568
SHA12ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA2566011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA51270977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec
-
Filesize
29KB
MD570aa23c9229741a9b52e5ce388a883ac
SHA1b42683e21e13de3f71db26635954d992ebe7119e
SHA2569d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5