Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-w1xn6adq81
Target JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac
SHA256 b25e78b7a0a2d6a2c1b05b124af2ab7b3b1cf3069ec34a776c0f6258629285c0
Tags
upx discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b25e78b7a0a2d6a2c1b05b124af2ab7b3b1cf3069ec34a776c0f6258629285c0

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:23

Reported

2025-07-04 18:26

Platform

win10v2004-20250610-en

Max time kernel

140s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LV6I3H~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c79c7b80046edfd2f9aa34d8cc5e3ac.exe"

C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe

C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\CTS.exe

C:\Windows\CTS.exe

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4044-0-0x0000000000830000-0x0000000000847000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lV6i3HwaqVh0Lwv.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

memory/1176-9-0x0000000000A30000-0x0000000000A47000-memory.dmp

C:\Windows\CTS.exe

MD5 70aa23c9229741a9b52e5ce388a883ac
SHA1 b42683e21e13de3f71db26635954d992ebe7119e
SHA256 9d25cc704b1c00c9d17903e25ca35c319663e997cb9da0b116790b639e9688f2
SHA512 be604a2ad5ab8a3e5edb8901016a76042ba873c8d05b4ef8eec31241377ec6b2a883b51c6912dc7640581ffa624547db334683975883ae74e62808b5ae9ab0b5

memory/4044-11-0x0000000000830000-0x0000000000847000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3f8b4a5fd89c36689cc8881b45b07657
SHA1 a9cf3cfef6c0e8fba838ce1a87b5931d703e7438
SHA256 23fde330196234a26df9bb95e1f3b308947809945e67ed3099ba1b55ff46c15c
SHA512 1d69515aad2cae5ce39d56c76ca04b93cdb20726ed6e9a5cbbfa5b43455b62026bed65d6cb955dbd5f47f9f352267ef191d62d4392349ac64f4e568a8037f723

memory/3752-28-0x0000000000A30000-0x0000000000A47000-memory.dmp

memory/3752-32-0x0000000000A30000-0x0000000000A47000-memory.dmp