Analysis

  • max time kernel
    67s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/04/2024, 09:15

General

  • Target

    04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe

  • Size

    23.9MB

  • MD5

    04dbbb89d97f1ca868da34f01f56f6eb

  • SHA1

    949b48fa19e4cb6244977a8d6ddbdf3a1296d10f

  • SHA256

    bde30e142c6fe2ad822f4d9f5fe1be1977789b5fef120314ff7c88f59bf98970

  • SHA512

    4ee350dcd334b773edf6b222515b78b60cac99384e464645460e188e3668b74e85d42804f48ebb918ca90779de7b4b5066f3d49a362fcfdf59a58dbc7ed0265d

  • SSDEEP

    6144:Gw0avOvtYSiod4uYzqAvZd/246UvmZIxs2:LvGvViG4HOKZde9m

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • \??\c:\users\admin\appdata\local\ecbctletis
      "C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\04dbbb89d97f1ca868da34f01f56f6eb_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:64
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:884
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 856
      2⤵
      • Program crash
      PID:4452
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 884 -ip 884
    1⤵
      PID:2724
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4016
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1096
        2⤵
        • Program crash
        PID:5016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4016 -ip 4016
      1⤵
        PID:4056
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 836
          2⤵
          • Program crash
          PID:2900
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1664 -ip 1664
        1⤵
          PID:2044

        Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\ecbctletis

                Filesize

                23.9MB

                MD5

                5dd6cb0039f0734ef3c4ccb9fdcee50a

                SHA1

                445d288057fef03a8ed8d6701363243c61999f5d

                SHA256

                ce6621418e2b44f88fa00cb9edd08722b8679d34eaadcb3ab1110344bbc08370

                SHA512

                98276028a10f9d4f8083db7bf9778c8b778a12ec930a1ba39a03a9a6a502f1d80d7dbce20a15c291ff6413c4be72908d9774e18ed70b380885090fa444633fc1

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                202B

                MD5

                74831eab775b1499a8be658e38abf60b

                SHA1

                4a7e2621d29354c8217c334cad8b62d228d96e2c

                SHA256

                51b62dc0d0d9e5d6856678d1924b83f9afd5b6dcccfe78ced19ef8272daf51af

                SHA512

                10bdd6887c0ec1ce71cc1d75b6feda0099319498ed1bf0e18cd06215f58fdf10cfdc1dc5dd2d3f795d4c6ea3c53ed8d4cf4200eaa102d0d2fd8cecda9b398277

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                303B

                MD5

                fe741ecaea2676a73579c00942ab9465

                SHA1

                2c607cf38427cbd32cd4bee4934a3b61575f1156

                SHA256

                8e6034255454c53e18710251d6c22ba66c651be934890e045ea1693008fd09e8

                SHA512

                11eebb0072beba425195976d1b1d1af35c94c1b48ee331d014686edb87625dbca571a7d6872fa8414ec1e638d5dc98e1aff19b2176ac1745c7d2df0a51f9890c

              • \??\c:\programdata\application data\storm\update\%sessionname%\blmds.cc3

                Filesize

                23.1MB

                MD5

                8980590c4f30c62b717b508bf5d9ca5d

                SHA1

                2f13908f8c7ed802b74f5e30e562c862eb1cbaef

                SHA256

                1d854cf3c7e67b8e0ade89349d75a40983ac9cba722ce1255dbf653ed61b59ee

                SHA512

                259b72e99819a6743bdefaa9542f0512f6218bea61694bf18b8e843d14afdbe79d12b46f2c9aedf969f7956070725e8bfb1a031517a619ea8fabfe3af4748161

              • memory/884-9-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

                Filesize

                4KB

              • memory/884-11-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/1664-18-0x0000000001A00000-0x0000000001A01000-memory.dmp

                Filesize

                4KB

              • memory/1664-21-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/4016-13-0x0000000002200000-0x0000000002201000-memory.dmp

                Filesize

                4KB

              • memory/4016-16-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB