Analysis
-
max time kernel
67s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 09:15
Static task
static1
Behavioral task
behavioral1
Sample
04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe
-
Size
23.9MB
-
MD5
04dbbb89d97f1ca868da34f01f56f6eb
-
SHA1
949b48fa19e4cb6244977a8d6ddbdf3a1296d10f
-
SHA256
bde30e142c6fe2ad822f4d9f5fe1be1977789b5fef120314ff7c88f59bf98970
-
SHA512
4ee350dcd334b773edf6b222515b78b60cac99384e464645460e188e3668b74e85d42804f48ebb918ca90779de7b4b5066f3d49a362fcfdf59a58dbc7ed0265d
-
SSDEEP
6144:Gw0avOvtYSiod4uYzqAvZd/246UvmZIxs2:LvGvViG4HOKZde9m
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/files/0x000b000000023ba7-7.dat family_gh0strat behavioral2/memory/884-11-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4016-16-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/1664-21-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 64 ecbctletis -
Executes dropped EXE 1 IoCs
pid Process 64 ecbctletis -
Loads dropped DLL 3 IoCs
pid Process 884 svchost.exe 4016 svchost.exe 1664 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\nilehdmxid svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\naxkaakavh svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\naxkaakavh svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4452 884 WerFault.exe 87 5016 4016 WerFault.exe 91 2900 1664 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 64 ecbctletis 64 ecbctletis -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 64 ecbctletis Token: SeBackupPrivilege 64 ecbctletis Token: SeBackupPrivilege 64 ecbctletis Token: SeRestorePrivilege 64 ecbctletis Token: SeBackupPrivilege 884 svchost.exe Token: SeRestorePrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeSecurityPrivilege 884 svchost.exe Token: SeBackupPrivilege 884 svchost.exe Token: SeRestorePrivilege 884 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeRestorePrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeSecurityPrivilege 4016 svchost.exe Token: SeSecurityPrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeSecurityPrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeSecurityPrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeRestorePrivilege 4016 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeRestorePrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeSecurityPrivilege 1664 svchost.exe Token: SeSecurityPrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeSecurityPrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeSecurityPrivilege 1664 svchost.exe Token: SeBackupPrivilege 1664 svchost.exe Token: SeRestorePrivilege 1664 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 780 wrote to memory of 64 780 04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe 86 PID 780 wrote to memory of 64 780 04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe 86 PID 780 wrote to memory of 64 780 04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\users\admin\appdata\local\ecbctletis"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\04dbbb89d97f1ca868da34f01f56f6eb_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 8562⤵
- Program crash
PID:4452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 884 -ip 8841⤵PID:2724
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 10962⤵
- Program crash
PID:5016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4016 -ip 40161⤵PID:4056
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 8362⤵
- Program crash
PID:2900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1664 -ip 16641⤵PID:2044
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.9MB
MD55dd6cb0039f0734ef3c4ccb9fdcee50a
SHA1445d288057fef03a8ed8d6701363243c61999f5d
SHA256ce6621418e2b44f88fa00cb9edd08722b8679d34eaadcb3ab1110344bbc08370
SHA51298276028a10f9d4f8083db7bf9778c8b778a12ec930a1ba39a03a9a6a502f1d80d7dbce20a15c291ff6413c4be72908d9774e18ed70b380885090fa444633fc1
-
Filesize
202B
MD574831eab775b1499a8be658e38abf60b
SHA14a7e2621d29354c8217c334cad8b62d228d96e2c
SHA25651b62dc0d0d9e5d6856678d1924b83f9afd5b6dcccfe78ced19ef8272daf51af
SHA51210bdd6887c0ec1ce71cc1d75b6feda0099319498ed1bf0e18cd06215f58fdf10cfdc1dc5dd2d3f795d4c6ea3c53ed8d4cf4200eaa102d0d2fd8cecda9b398277
-
Filesize
303B
MD5fe741ecaea2676a73579c00942ab9465
SHA12c607cf38427cbd32cd4bee4934a3b61575f1156
SHA2568e6034255454c53e18710251d6c22ba66c651be934890e045ea1693008fd09e8
SHA51211eebb0072beba425195976d1b1d1af35c94c1b48ee331d014686edb87625dbca571a7d6872fa8414ec1e638d5dc98e1aff19b2176ac1745c7d2df0a51f9890c
-
Filesize
23.1MB
MD58980590c4f30c62b717b508bf5d9ca5d
SHA12f13908f8c7ed802b74f5e30e562c862eb1cbaef
SHA2561d854cf3c7e67b8e0ade89349d75a40983ac9cba722ce1255dbf653ed61b59ee
SHA512259b72e99819a6743bdefaa9542f0512f6218bea61694bf18b8e843d14afdbe79d12b46f2c9aedf969f7956070725e8bfb1a031517a619ea8fabfe3af4748161