Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-w7nd3axqs4
Target JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0
SHA256 c801b16f7810c2f64c12f4d3c5c0c7605dae4b467415e4ca1e7dba5f158bfbcb
Tags
upx discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c801b16f7810c2f64c12f4d3c5c0c7605dae4b467415e4ca1e7dba5f158bfbcb

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:33

Reported

2025-07-04 18:36

Platform

win10v2004-20250619-en

Max time kernel

140s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTE1DP~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe"

C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe

C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\CTS.exe

C:\Windows\CTS.exe

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5708-0-0x0000000000FE0000-0x0000000000FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

memory/5708-10-0x0000000000FE0000-0x0000000000FF7000-memory.dmp

memory/4464-11-0x0000000000C40000-0x0000000000C57000-memory.dmp

C:\Windows\CTS.exe

MD5 93e5f18caebd8d4a2c893e40e5f38232
SHA1 fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256 a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 175939af136e5d768c599a0784335bba
SHA1 a024c1a91561b76af6238560108c10e205a60df9
SHA256 30d5680e89805bff2a8abfca93ce52e195c0bdc88b562b94e0c87300177b1932
SHA512 57ba6b6e08fe3edeb1217f7d4ffa9d603d0b28d84f6e0fce935f48f63ee08170532e77d9ecea0e267c905ece6f0b24c1e0a56cd50ac62ffc6123d2f434a068ce

memory/3168-26-0x0000000000C40000-0x0000000000C57000-memory.dmp

memory/3168-31-0x0000000000C40000-0x0000000000C57000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 18:33

Reported

2025-07-04 18:36

Platform

win11-20250619-en

Max time kernel

140s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
N/A N/A C:\Windows\CTS.exe N/A
N/A N/A C:\Windows\CTS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" C:\Windows\CTS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CTS.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A
File created C:\Windows\CTS.exe C:\Windows\CTS.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\CTS.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2FMISB~1.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\CTS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe"

C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe

C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe

C:\Windows\CTS.exe

"C:\Windows\CTS.exe"

C:\Windows\CTS.exe

C:\Windows\CTS.exe

Network

Files

memory/1496-0-0x0000000001000000-0x0000000001017000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe

MD5 880e155f8f47fb0db7b2080e71d59568
SHA1 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629
SHA256 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44
SHA512 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec

C:\Windows\CTS.exe

MD5 93e5f18caebd8d4a2c893e40e5f38232
SHA1 fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6
SHA256 a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8
SHA512 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

memory/1892-9-0x0000000000410000-0x0000000000427000-memory.dmp

memory/1496-10-0x0000000001000000-0x0000000001017000-memory.dmp

memory/5552-14-0x0000000000410000-0x0000000000427000-memory.dmp

memory/5552-16-0x0000000000410000-0x0000000000427000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 a7accea7832038c7b0571592585966e7
SHA1 e86ca9f7c67166af8376713d456d8b9b60844039
SHA256 8ebfd8ffd5ce56d662a52a7cbb1e06261761c990b676e32f42c3b82ed678e34f
SHA512 b9c833224e207bf38459225c505a71f7e463983e923fc52b74adc78a6caf833c584f4d8a64aafb7dc9310e8724b2a343a8603f63143bf46e6cdbd51dee3b2b47

memory/1892-34-0x0000000000410000-0x0000000000427000-memory.dmp