Analysis Overview
SHA256
c801b16f7810c2f64c12f4d3c5c0c7605dae4b467415e4ca1e7dba5f158bfbcb
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 18:33
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 18:33
Reported
2025-07-04 18:36
Platform
win10v2004-20250619-en
Max time kernel
140s
Max time network
135s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTE1DP~1.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe"
C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe
C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Windows\CTS.exe
C:\Windows\CTS.exe
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5708-0-0x0000000000FE0000-0x0000000000FF7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cTe1DpEf3WbwHfw.exe
| MD5 | 880e155f8f47fb0db7b2080e71d59568 |
| SHA1 | 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629 |
| SHA256 | 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44 |
| SHA512 | 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec |
memory/5708-10-0x0000000000FE0000-0x0000000000FF7000-memory.dmp
memory/4464-11-0x0000000000C40000-0x0000000000C57000-memory.dmp
C:\Windows\CTS.exe
| MD5 | 93e5f18caebd8d4a2c893e40e5f38232 |
| SHA1 | fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6 |
| SHA256 | a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8 |
| SHA512 | 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 175939af136e5d768c599a0784335bba |
| SHA1 | a024c1a91561b76af6238560108c10e205a60df9 |
| SHA256 | 30d5680e89805bff2a8abfca93ce52e195c0bdc88b562b94e0c87300177b1932 |
| SHA512 | 57ba6b6e08fe3edeb1217f7d4ffa9d603d0b28d84f6e0fce935f48f63ee08170532e77d9ecea0e267c905ece6f0b24c1e0a56cd50ac62ffc6123d2f434a068ce |
memory/3168-26-0x0000000000C40000-0x0000000000C57000-memory.dmp
memory/3168-31-0x0000000000C40000-0x0000000000C57000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 18:33
Reported
2025-07-04 18:36
Platform
win11-20250619-en
Max time kernel
140s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\CTS.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2FMISB~1.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.GRF\ = "GraphEdtGraph" | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GraphEdtGraph\ = "Filter Graph" | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c7b87a86e209ced0b42c82a724585d0.exe"
C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe
C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\CTS.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Windows\CTS.exe
C:\Windows\CTS.exe
Network
Files
memory/1496-0-0x0000000001000000-0x0000000001017000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2FmiSbkLHUt3AVy.exe
| MD5 | 880e155f8f47fb0db7b2080e71d59568 |
| SHA1 | 2ed0c0f809765bbabd8c7d4f58e9a0bacf2bb629 |
| SHA256 | 6011cd7d1a314d109bc0755d17be2e7812b2f5542ec24f3f3023532c1e8a1d44 |
| SHA512 | 70977d36b8ec8c271c5ffd3303677743a2626196bb62af5d817e86a7eeed972bbb70acdd81508f7b4ee1da366ce02cd96a8d0e6f11627842f195cfd0c53a5bec |
C:\Windows\CTS.exe
| MD5 | 93e5f18caebd8d4a2c893e40e5f38232 |
| SHA1 | fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6 |
| SHA256 | a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8 |
| SHA512 | 986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54 |
memory/1892-9-0x0000000000410000-0x0000000000427000-memory.dmp
memory/1496-10-0x0000000001000000-0x0000000001017000-memory.dmp
memory/5552-14-0x0000000000410000-0x0000000000427000-memory.dmp
memory/5552-16-0x0000000000410000-0x0000000000427000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | a7accea7832038c7b0571592585966e7 |
| SHA1 | e86ca9f7c67166af8376713d456d8b9b60844039 |
| SHA256 | 8ebfd8ffd5ce56d662a52a7cbb1e06261761c990b676e32f42c3b82ed678e34f |
| SHA512 | b9c833224e207bf38459225c505a71f7e463983e923fc52b74adc78a6caf833c584f4d8a64aafb7dc9310e8724b2a343a8603f63143bf46e6cdbd51dee3b2b47 |
memory/1892-34-0x0000000000410000-0x0000000000427000-memory.dmp