Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 18:23

General

  • Target

    JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe

  • Size

    318KB

  • MD5

    1c79c7b80046edfd2f9aa34d8cc5e3ac

  • SHA1

    aa96ff1a8d21279e95b818305c98c3ce737322c6

  • SHA256

    b25e78b7a0a2d6a2c1b05b124af2ab7b3b1cf3069ec34a776c0f6258629285c0

  • SHA512

    ceabf507da727034cedb603e348d06f2a1e1d4e41fcde7399210b549cc348156bb0c558e4f3a0497edb77729a2f8df733bedac6a2c721cbe5f5db7a4b049c19e

  • SSDEEP

    6144:hGGodWX6+PAw56Wqe+WPF4ByS+Iw7joBBpi0SROTHEchvgNAQ3crI:hiU6+PA+jQ+Iw7jsBMO4ch4ND3cE

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe
      C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1176
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\CTS.exe
      C:\Windows\CTS.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3752

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          31KB

          MD5

          3f8b4a5fd89c36689cc8881b45b07657

          SHA1

          a9cf3cfef6c0e8fba838ce1a87b5931d703e7438

          SHA256

          23fde330196234a26df9bb95e1f3b308947809945e67ed3099ba1b55ff46c15c

          SHA512

          1d69515aad2cae5ce39d56c76ca04b93cdb20726ed6e9a5cbbfa5b43455b62026bed65d6cb955dbd5f47f9f352267ef191d62d4392349ac64f4e568a8037f723

        • C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe

          Filesize

          288KB

          MD5

          880e155f8f47fb0db7b2080e71d59568

          SHA1

          2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629

          SHA256

          6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44

          SHA512

          70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

        • C:\Windows\CTS.exe

          Filesize

          29KB

          MD5

          70aa23c9229741a9b52e5ce388a883ac

          SHA1

          b42683e21e13de3f71db26635954d992ebe7119e

          SHA256

          9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2

          SHA512

          be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

        • memory/1176-9-0x0000000000A30000-0x0000000000A47000-memory.dmp

          Filesize

          92KB

        • memory/3752-28-0x0000000000A30000-0x0000000000A47000-memory.dmp

          Filesize

          92KB

        • memory/3752-32-0x0000000000A30000-0x0000000000A47000-memory.dmp

          Filesize

          92KB

        • memory/4044-0-0x0000000000830000-0x0000000000847000-memory.dmp

          Filesize

          92KB

        • memory/4044-11-0x0000000000830000-0x0000000000847000-memory.dmp

          Filesize

          92KB