Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 16:47

General

  • Target

    9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe

  • Size

    838KB

  • MD5

    9edd0f7c7b63ad8b06e76d577cac71f6

  • SHA1

    598c141d36be2079de2b6400312c1fbab7a4f016

  • SHA256

    337b2a2898f89d83eb9810385b6113b722dc71c9e7192876116ae9cf66797d22

  • SHA512

    bf3ab38c6a78507438e8ef26e793fd3bbc2482a865d6d03181f5a884e9351607c89d1af84ecdee1b3910f73f66ebeaf62289a213e55954d9b2b6ea5254184a39

  • SSDEEP

    24576:wlxVBLnjH2ghBSV6V2/QYOc4/5oETPq7vx:wll72vKT/5tTCrx

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
      C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2600
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows\Fonts\*.exe /e /d system
        2⤵
          PID:2664

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Microsoft.NET\Framework\ETComm_New.dll

        Filesize

        328KB

        MD5

        5a8088a81ca60f7d6b52dafef8106352

        SHA1

        91038034b8a3087d2b3b03c4240c1a84c1e6fd4e

        SHA256

        a558403de957fb3ce765f5fab272db6d65b443ddfdc233ff1269dbe996a666dd

        SHA512

        de4818b3221d16b062a0662313d86ceaa36312db0b99f7c4ceec496d3aaf2c89943182b590875185a410f97e272660660df6684a53717225ef2c5cbb49abd624

      • \Windows\Microsoft.NET\Framework\ETComm.dll

        Filesize

        328KB

        MD5

        88d73a37ae35e3b049b908e7b28a5c39

        SHA1

        2713a4bd792d0cb4afd6e3b43c7cfc2587989048

        SHA256

        a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39

        SHA512

        3d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5

      • \Windows\Microsoft.NET\Framework\aspnet_wp.exe

        Filesize

        217KB

        MD5

        962026a01cc9c058822bfa108393eaaf

        SHA1

        bdc766094cc240782e10a0dfec8d420f3420d42c

        SHA256

        48d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b

        SHA512

        f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93

      • memory/1968-39-0x0000000000400000-0x00000000005D3000-memory.dmp

        Filesize

        1.8MB

      • memory/1968-0-0x0000000000400000-0x00000000005D3000-memory.dmp

        Filesize

        1.8MB

      • memory/1968-38-0x0000000000400000-0x00000000005D3000-memory.dmp

        Filesize

        1.8MB

      • memory/2016-14-0x0000000010000000-0x00000000100EB000-memory.dmp

        Filesize

        940KB

      • memory/2016-37-0x0000000010000000-0x00000000100EB000-memory.dmp

        Filesize

        940KB

      • memory/2600-36-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2600-22-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2600-19-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2600-17-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2600-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/2600-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2600-15-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB