Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 08:55
Static task
static1
Behavioral task
behavioral1
Sample
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe
-
Size
96KB
-
MD5
fc62e83e4105ebb4b73f995568f46e63
-
SHA1
7c4d494642487e8c1ffee930ef2e221238e4539a
-
SHA256
78d9a3f43771a66b2ca4a3b06cb534ef477855c34d8673dc2051d8a203ffe66c
-
SHA512
a4c5eb9866051629e6bd53badbccfdc060ea2355b7286fe35ce9f3365e1ee0e5a16e518e533b85141f94525f9fe0d9052c0cffdb342f5464f68d4ce63b722284
-
SSDEEP
1536:oKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pryTNH9VtWrZt:oQS4jHS8q/3nTzePCwNUh4E9yxdoZt
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\orxpd.cc3 family_gh0strat behavioral2/memory/1068-16-0x0000000000400000-0x000000000044E21C-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
bujxqjmyvkpid process 1068 bujxqjmyvk -
Executes dropped EXE 1 IoCs
Processes:
bujxqjmyvkpid process 1068 bujxqjmyvk -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 4948 svchost.exe 1604 svchost.exe 3956 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\ninvvfrcli svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\nqboeitayd svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\nyphmlvxlx svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4044 4948 WerFault.exe svchost.exe 3972 1604 WerFault.exe svchost.exe 3952 3956 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bujxqjmyvkpid process 1068 bujxqjmyvk 1068 bujxqjmyvk -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
bujxqjmyvksvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 1068 bujxqjmyvk Token: SeBackupPrivilege 1068 bujxqjmyvk Token: SeBackupPrivilege 1068 bujxqjmyvk Token: SeRestorePrivilege 1068 bujxqjmyvk Token: SeBackupPrivilege 4948 svchost.exe Token: SeRestorePrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeSecurityPrivilege 4948 svchost.exe Token: SeSecurityPrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeSecurityPrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeSecurityPrivilege 4948 svchost.exe Token: SeBackupPrivilege 4948 svchost.exe Token: SeRestorePrivilege 4948 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeSecurityPrivilege 1604 svchost.exe Token: SeSecurityPrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeSecurityPrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeSecurityPrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeRestorePrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeSecurityPrivilege 3956 svchost.exe Token: SeSecurityPrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeSecurityPrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeSecurityPrivilege 3956 svchost.exe Token: SeBackupPrivilege 3956 svchost.exe Token: SeRestorePrivilege 3956 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exedescription pid process target process PID 2684 wrote to memory of 1068 2684 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe bujxqjmyvk PID 2684 wrote to memory of 1068 2684 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe bujxqjmyvk PID 2684 wrote to memory of 1068 2684 fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe bujxqjmyvk
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\bujxqjmyvk"C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\fc62e83e4105ebb4b73f995568f46e63_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4948 -ip 49481⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 6682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 10882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3956 -ip 39561⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
200B
MD5c07d56dc80df60d954b01be83124268b
SHA1c1d0185dc3ddffe462a16b9c45b2d15717e18294
SHA256f85a1691ec0a4db465476e55d458d67785ff6a60b614880cdf38351085c2fad3
SHA5124ebef73bd9162ec04921dee107110f6634638dae7f18cb0e31c6285f33e91e06f3969d624808c11fa4899977e13dd10ba8868dd48d1e5d7260b905efdc76434b
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
300B
MD5a1066164883449d9f838cb7290db0e2b
SHA1035e02e2da256d43e78f7dea962bb550d20c6937
SHA25643a0054c0e16fe50efbde02c3dd2446369fcf7a2593900be8a33508ffa92bad6
SHA512ea78545352e283b962d522bc512c929ff506af776b702d41c42ed1946918c31329e88a7d0678b29f05f80cbb2489ade908b8883444717d7b08abc618eb1f2bec
-
\??\c:\programdata\application data\storm\update\%sessionname%\orxpd.cc3Filesize
20.0MB
MD59af5aa4dd29797b94dff9e1e96bc5eff
SHA19e3ef4daa13dc5c6e162d490357f0d8c7203f951
SHA2566f72028646f40e5f2b68c441260aec78116085bface946536aecf0d4dcec2300
SHA5124fdc25942513ae07fcb11c00b4c0edfad1dc456da2a4a6fb7d1697b090e59b3ca1c1c820bac0279f8c0302265358f23f5819aa0a68376cb0dad94b424850bc35
-
\??\c:\users\admin\appdata\local\bujxqjmyvkFilesize
20.2MB
MD57a3ea066dc80435e839279ac56775be3
SHA17cbf91408220ac6f1854efef0a3cebb30788e30f
SHA256a7403233ef7077dadf1491ef76b2ff6277422481caafe158c897cfaab6a806d1
SHA512bb5f2042820b00fd5de25282af57f9b6c6c55fb44dc91fdeb4a6b31cf621780fd9c06e9b280d51cc614362eabcea6c140733e1f435a92108af5d2f3b70d1f443
-
memory/1068-16-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/1068-10-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/1068-11-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1604-20-0x00000000019E0000-0x00000000019E1000-memory.dmpFilesize
4KB
-
memory/2684-0-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/2684-7-0x0000000000400000-0x000000000044E21C-memory.dmpFilesize
312KB
-
memory/2684-2-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3956-24-0x00000000016C0000-0x00000000016C1000-memory.dmpFilesize
4KB
-
memory/4948-17-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB