Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe
-
Size
95KB
-
MD5
fc750f6c7b4c57b368e7c01aff4399ed
-
SHA1
eacd83ebf16c89c0f90f9399bacc3db273df058f
-
SHA256
c07c011568614e3119d36a67fa208666c276f3500ca3ad1a156177c9e63cec70
-
SHA512
e9b1ca25c6a7db5c59c518d804750d68555a60ee371609807014245484054687eac8fbc652b10665205b4733420d5e37619e693a20b5febaa735f49427382f19
-
SSDEEP
1536:aMJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8priIQmwpd:aMfS4jHS8q/3nTzePCwNUh4E9iy0d
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\fkyre.cc3 family_gh0strat behavioral2/memory/1916-15-0x0000000000400000-0x000000000044C60F-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
bstotfnyfwpid process 1916 bstotfnyfw -
Executes dropped EXE 1 IoCs
Processes:
bstotfnyfwpid process 1916 bstotfnyfw -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 3968 svchost.exe 5096 svchost.exe 3436 svchost.exe -
Drops file in System32 directory 7 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\tfhodjpcnf svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\tfxtcsxubq svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\txlkxnyram svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\toowotenad svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3248 3968 WerFault.exe svchost.exe 2040 5096 WerFault.exe svchost.exe 4284 3436 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bstotfnyfwpid process 1916 bstotfnyfw 1916 bstotfnyfw -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
bstotfnyfwsvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 1916 bstotfnyfw Token: SeBackupPrivilege 1916 bstotfnyfw Token: SeBackupPrivilege 1916 bstotfnyfw Token: SeRestorePrivilege 1916 bstotfnyfw Token: SeBackupPrivilege 3968 svchost.exe Token: SeRestorePrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeSecurityPrivilege 3968 svchost.exe Token: SeSecurityPrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeSecurityPrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeSecurityPrivilege 3968 svchost.exe Token: SeBackupPrivilege 3968 svchost.exe Token: SeRestorePrivilege 3968 svchost.exe Token: SeBackupPrivilege 5096 svchost.exe Token: SeRestorePrivilege 5096 svchost.exe Token: SeBackupPrivilege 5096 svchost.exe Token: SeBackupPrivilege 5096 svchost.exe Token: SeSecurityPrivilege 5096 svchost.exe Token: SeSecurityPrivilege 5096 svchost.exe Token: SeBackupPrivilege 5096 svchost.exe Token: SeBackupPrivilege 5096 svchost.exe Token: SeSecurityPrivilege 5096 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeRestorePrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeSecurityPrivilege 3436 svchost.exe Token: SeSecurityPrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeSecurityPrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeSecurityPrivilege 3436 svchost.exe Token: SeBackupPrivilege 3436 svchost.exe Token: SeRestorePrivilege 3436 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exedescription pid process target process PID 1904 wrote to memory of 1916 1904 fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe bstotfnyfw PID 1904 wrote to memory of 1916 1904 fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe bstotfnyfw PID 1904 wrote to memory of 1916 1904 fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe bstotfnyfw
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\bstotfnyfw"C:\Users\Admin\AppData\Local\Temp\fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\fc750f6c7b4c57b368e7c01aff4399ed_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 11242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3968 -ip 39681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 11042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5096 -ip 50961⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3436 -ip 34361⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\bstotfnyfwFilesize
23.1MB
MD5cd6adc217369fa3ba7309efb3976c0c2
SHA12c7b4a1a926b083b7583633ad800fa3820c98437
SHA2569b446a9196d7af47760f55b3823fd06bafc88de1ac7281d84901d621b8b03495
SHA512827b9ad2fa19c5172e4df5de8a23fa168a4796afb0dd585a0119cd4c822030bb62d2d1965275eabcad35ac1a586ef63718e54d583e8a2f0fa80d69def1d33c46
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
201B
MD53e031d43cbe675af8cc34ebbedd1778a
SHA186c3712d603a80438417d63378f39fb08fe03b83
SHA2561ff45f9f89d12105755d00ac5c4f8465d40fdcaece83e6f9df6f9e17c785a982
SHA512c116943816244c7d2167eaf2725efeb47ac5111911d10ede6dc2c24a65434aa3bc4b42c332ab2bc0958a7c2b8edf33f4906cc3941697f1b8d54643873a3abcd2
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
301B
MD5fad94333877e9548ed8d041094033e81
SHA102f155d19d3f4e15a61a2aef45afb8c44c2ad0aa
SHA2563b1e210e597f321941f1401fb2e131bfaaaea76a29d1bc75d4ebbad4d8e72e16
SHA512f47efb9a53d4b7ae856478f16c6f98f2affa2c198622e565e3d50770e29c830ce754ec93b929a84076ad443479e2940ca59e8b54e0943d583911c20b613a3fc2
-
\??\c:\programdata\application data\storm\update\%sessionname%\fkyre.cc3Filesize
19.0MB
MD5bfab3c23b0420546b693831f26724cfa
SHA1301da2f45646dd456f8838a694f64447980f6e43
SHA256979afd88722510a556c609e0508414fb0e2ac98ef0efa982d00a1c2607ac9689
SHA5120339145eeaca321595d549bcafc541aeca1dc11bc4f0b991170527e7d39b3e90acb33ce55e5520fdd45088f499b3e71f6e7dd7d2cb4161b02d2dedfc8cc9fc4a
-
memory/1904-2-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1904-0-0x0000000000400000-0x000000000044C60F-memory.dmpFilesize
305KB
-
memory/1904-10-0x0000000000400000-0x000000000044C60F-memory.dmpFilesize
305KB
-
memory/1916-7-0x0000000000400000-0x000000000044C60F-memory.dmpFilesize
305KB
-
memory/1916-15-0x0000000000400000-0x000000000044C60F-memory.dmpFilesize
305KB
-
memory/1916-11-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3436-25-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/3968-18-0x0000000001BF0000-0x0000000001BF1000-memory.dmpFilesize
4KB
-
memory/5096-21-0x00000000019D0000-0x00000000019D1000-memory.dmpFilesize
4KB