Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe
-
Size
96KB
-
MD5
fc62e83e4105ebb4b73f995568f46e63
-
SHA1
7c4d494642487e8c1ffee930ef2e221238e4539a
-
SHA256
78d9a3f43771a66b2ca4a3b06cb534ef477855c34d8673dc2051d8a203ffe66c
-
SHA512
a4c5eb9866051629e6bd53badbccfdc060ea2355b7286fe35ce9f3365e1ee0e5a16e518e533b85141f94525f9fe0d9052c0cffdb342f5464f68d4ce63b722284
-
SSDEEP
1536:oKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pryTNH9VtWrZt:oQS4jHS8q/3nTzePCwNUh4E9yxdoZt
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\sfqyy.cc3 family_gh0strat behavioral1/memory/1792-22-0x0000000000400000-0x000000000044E21C-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
fgqpluhywlpid process 1792 fgqpluhywl -
Executes dropped EXE 1 IoCs
Processes:
fgqpluhywlpid process 1792 fgqpluhywl -
Loads dropped DLL 3 IoCs
Processes:
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exesvchost.exepid process 2128 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe 2128 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe 2672 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\naycncofxm svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
fgqpluhywlsvchost.exepid process 1792 fgqpluhywl 2672 svchost.exe 2672 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
fgqpluhywlsvchost.exedescription pid process Token: SeRestorePrivilege 1792 fgqpluhywl Token: SeBackupPrivilege 1792 fgqpluhywl Token: SeBackupPrivilege 1792 fgqpluhywl Token: SeRestorePrivilege 1792 fgqpluhywl Token: SeBackupPrivilege 2672 svchost.exe Token: SeRestorePrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeSecurityPrivilege 2672 svchost.exe Token: SeSecurityPrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeSecurityPrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeSecurityPrivilege 2672 svchost.exe Token: SeBackupPrivilege 2672 svchost.exe Token: SeRestorePrivilege 2672 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exedescription pid process target process PID 2128 wrote to memory of 1792 2128 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe fgqpluhywl PID 2128 wrote to memory of 1792 2128 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe fgqpluhywl PID 2128 wrote to memory of 1792 2128 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe fgqpluhywl PID 2128 wrote to memory of 1792 2128 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe fgqpluhywl
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\fgqpluhywl"C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\fc62e83e4105ebb4b73f995568f46e63_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\application data\storm\update\%sessionname%\sfqyy.cc3Filesize
20.0MB
MD5098139247e914ca048677577ba3f8c08
SHA17f88305c0ee16436bb9a1b8417c2126060c2c18b
SHA2567ac4b2c3e7d3fa1e1ec15afd43287cbce8ac5ca68a7e079ce749db2cfbeb00aa
SHA5121cdbcee0676a097f29dcb5603ddb063cc1b39dbc2d17049e11ad3925558d80690964174fbd7da43470bd155e0294324f0ac46a8fa6b2f07d9d77ff8344f27b2b
-
\Users\Admin\AppData\Local\fgqpluhywlFilesize
20.6MB
MD5f551c1deaafc3bbdf91a589090db9b1b
SHA105707c6b21cd24094a9aefb113b5f437384d68d7
SHA2560e95b0d2656d4381a50d3dc7f3ce06e0b43934ad8dbad0290b9c8f32a297b71c
SHA512fc6db95711cf2003479fb2a1d5a9b8a4bf209a33922fc04ff5d1e78a527aa97a3e67be77543819336ea24064f9de782d71af66104e464da91cf80ab16538470f
-
memory/1792-16-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/1792-17-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1792-22-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/2128-0-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/2128-2-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2128-13-0x0000000000350000-0x000000000039F000-memory.dmpFilesize
316KB
-
memory/2128-12-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/2128-6-0x0000000000350000-0x000000000039F000-memory.dmpFilesize
316KB
-
memory/2128-25-0x0000000000350000-0x000000000039F000-memory.dmpFilesize
316KB
-
memory/2672-23-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB