Overview
overview
10Static
static
10fcfa69cbc6...18.dll
windows7-x64
10fcfa69cbc6...18.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 14:34
Behavioral task
behavioral1
Sample
fcfa69cbc689304e055d5705ed7692a1_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fcfa69cbc689304e055d5705ed7692a1_JaffaCakes118.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
CERTIFICATE.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
CERTIFICATE.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
CERTIFICATE.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
CERTIFICATE.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
CERTIFICATE.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
CERTIFICATE.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
CERTIFICATE.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
CERTIFICATE.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
CERTIFICATE.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
CERTIFICATE.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
CERTIFICATE.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
CERTIFICATE.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
CERTIFICATE.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
CERTIFICATE.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
CERTIFICATE.dll
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
CERTIFICATE.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
CERTIFICATE.dll
Resource
win7-20240221-en
General
-
Target
CERTIFICATE.dll
-
Size
101KB
-
MD5
fcfa69cbc689304e055d5705ed7692a1
-
SHA1
983815092026b81b125e85e02c6e019ef6349ecc
-
SHA256
4ee20558b9da83776f563619de8002838d49b21412f40ff74391292c411a83a9
-
SHA512
51c0b2eb5bc1da32b3aa0b310df6d4f08e6a3e8b3f195ead6a9dc3011042a0c92f05c5163e99084488228ed05ca4f62f51b658f591269a42682be1c6ad6af33e
-
SSDEEP
3072:rwZ2QNI3VGVilUVjz764/9xjEEUQqbZuwI5RG:VVGg2x9tjUpZuwIrG
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule \??\c:\windows\filename.jpg family_gh0strat -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4416 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\FileName.jpg rundll32.exe File opened for modification C:\Windows\FileName.jpg rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeBackupPrivilege 4344 rundll32.exe Token: SeRestorePrivilege 4344 rundll32.exe Token: SeBackupPrivilege 4344 rundll32.exe Token: SeRestorePrivilege 4344 rundll32.exe Token: SeBackupPrivilege 4344 rundll32.exe Token: SeRestorePrivilege 4344 rundll32.exe Token: SeBackupPrivilege 4344 rundll32.exe Token: SeRestorePrivilege 4344 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4844 wrote to memory of 4344 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4344 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4344 4844 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CERTIFICATE.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CERTIFICATE.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\filename.jpgFilesize
12.1MB
MD583026bada5b70aa02a7b4ed10b6c85b3
SHA1b1cdd546d196d7d9fe4bb86e54d902888abdac47
SHA256e27b37255a201f7249a66ce71502456603dbb8e9d2252ea19e2169b8290b6f0a
SHA512679bcb94d33cf5fa3c8d739cc5b481b94e8ebfda7b624d483bdd176d1e14637edaae005fe5b45f77320ae5da3309a9beaf70ccd9eb97408731999eb8f4cd80e3