Analysis Overview
SHA256
b25e78b7a0a2d6a2c1b05b124af2ab7b3b1cf3069ec34a776c0f6258629285c0
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 18:23
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 18:23
Reported
2025-07-04 18:26
Platform
win10v2004-20250610-en
Max time kernel
140s
Max time network
137s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LV6I3H~1.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe"
C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe
C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Windows\CTS.exe
C:\Windows\CTS.exe
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4044-0-0x0000000000830000-0x0000000000847000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe
| MD5 | 880e155f8f47fb0db7b2080e71d59568 |
| SHA1 | 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629 |
| SHA256 | 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44 |
| SHA512 | 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec |
memory/1176-9-0x0000000000A30000-0x0000000000A47000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 70aa23c9229741a9b52e5ce388a883ac |
| SHA1 | b42683e21e13de3f71db26635954d992ebe7119e |
| SHA256 | 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2 |
| SHA512 | be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5 |
memory/4044-11-0x0000000000830000-0x0000000000847000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3f8b4a5fd89c36689cc8881b45b07657 |
| SHA1 | a9cf3cfef6c0e8fba838ce1a87b5931d703e7438 |
| SHA256 | 23fde330196234a26df9bb95e1f3b308947809945e67ed3099ba1b55ff46c15c |
| SHA512 | 1d69515aad2cae5ce39d56c76ca04b93cdb20726ed6e9a5cbbfa5b43455b62026bed65d6cb955dbd5f47f9f352267ef191d62d4392349ac64f4e568a8037f723 |
memory/3752-28-0x0000000000A30000-0x0000000000A47000-memory.dmp
memory/3752-32-0x0000000000A30000-0x0000000000A47000-memory.dmp