Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 07:53
Static task
static1
Behavioral task
behavioral1
Sample
fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
20061193428.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
20061193428.exe
Resource
win10v2004-20240412-en
General
-
Target
fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
-
Size
169KB
-
MD5
fc4896edc72ba726eebda2271be493f6
-
SHA1
b8fe3933906ba8988925dfabf924dbce6ced6436
-
SHA256
83fbb1cb049ba2fb7cad60ac4d8e518c0c1c445fa869bd9750c9e84cfb489333
-
SHA512
ef9bede22f5019bd48eafdc4ed6d70a2755088d264ff592fe57ce2e01463f67a7160f741ad1ca4d88038c6768ad96b84af37a71f585b493d773c79036b669517
-
SSDEEP
3072:ALk395hYXJNuhV+g4yidNvJJngaWMY4n6tVojmTic+BSLLpjJj:AQqG+9yYNvJJnnjKiDBALBJj
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2940-18-0x0000000000400000-0x0000000000444000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
20061193428.exepid process 2940 20061193428.exe -
Loads dropped DLL 5 IoCs
Processes:
fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe20061193428.exepid process 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 2940 20061193428.exe 2940 20061193428.exe 2940 20061193428.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
20061193428.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe" 20061193428.exe -
Drops file in System32 directory 1 IoCs
Processes:
20061193428.exedescription ioc process File created C:\WINDOWS\SysWOW64\ctfmon.exe 20061193428.exe -
Drops file in Program Files directory 1 IoCs
Processes:
fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Common Files\20061193428.exe fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
20061193428.exedescription ioc process File created C:\WINDOWS\Ball.exe 20061193428.exe File opened for modification C:\WINDOWS\Ball.exe 20061193428.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
20061193428.exepid process 2940 20061193428.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exedescription pid process target process PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe PID 2644 wrote to memory of 2940 2644 fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe 20061193428.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\20061193428.exe"C:\Program Files (x86)\Common Files\20061193428.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files (x86)\Common Files\20061193428.exeFilesize
5.1MB
MD5d7be2f31187feee86d852ce5ffa0b1fd
SHA1a57fbcca22e1f4d178d811844cdefaa9537ebaef
SHA256d2fda291f12be94897b3b2567a99730b08bbc1b843c0599cd2cd770bf21bb0c6
SHA51202fd85e11889c502b1e3b895d44e25b726b81a38ec5e8d125a23d832f75d115a83d12115a334f399b41ca9aa8db11d4b23a5000c0def573d9b257dddca23fc4c
-
memory/2644-9-0x0000000002A50000-0x0000000002A94000-memory.dmpFilesize
272KB
-
memory/2644-4-0x0000000002A50000-0x0000000002A94000-memory.dmpFilesize
272KB
-
memory/2940-16-0x0000000000280000-0x00000000002A4000-memory.dmpFilesize
144KB
-
memory/2940-15-0x00000000008B0000-0x00000000008F4000-memory.dmpFilesize
272KB
-
memory/2940-18-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2940-19-0x0000000000280000-0x00000000002A4000-memory.dmpFilesize
144KB
-
memory/2940-21-0x00000000008B0000-0x00000000008F4000-memory.dmpFilesize
272KB