Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 16:47
Behavioral task
behavioral1
Sample
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
-
Size
838KB
-
MD5
9edd0f7c7b63ad8b06e76d577cac71f6
-
SHA1
598c141d36be2079de2b6400312c1fbab7a4f016
-
SHA256
337b2a2898f89d83eb9810385b6113b722dc71c9e7192876116ae9cf66797d22
-
SHA512
bf3ab38c6a78507438e8ef26e793fd3bbc2482a865d6d03181f5a884e9351607c89d1af84ecdee1b3910f73f66ebeaf62289a213e55954d9b2b6ea5254184a39
-
SSDEEP
24576:wlxVBLnjH2ghBSV6V2/QYOc4/5oETPq7vx:wll72vKT/5tTCrx
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-38-0x0000000000400000-0x00000000005D3000-memory.dmp family_gh0strat behavioral1/memory/1968-39-0x0000000000400000-0x00000000005D3000-memory.dmp family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\Microsoft.NET\Framework\ETComm.dll acprotect C:\Windows\Microsoft.NET\Framework\ETComm_New.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
aspnet_wp.exepid process 2016 aspnet_wp.exe -
Loads dropped DLL 2 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exeaspnet_wp.exepid process 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe 2016 aspnet_wp.exe -
Processes:
resource yara_rule behavioral1/memory/1968-0-0x0000000000400000-0x00000000005D3000-memory.dmp upx \Windows\Microsoft.NET\Framework\ETComm.dll upx C:\Windows\Microsoft.NET\Framework\ETComm_New.dll upx behavioral1/memory/2016-37-0x0000000010000000-0x00000000100EB000-memory.dmp upx behavioral1/memory/2016-14-0x0000000010000000-0x00000000100EB000-memory.dmp upx behavioral1/memory/1968-38-0x0000000000400000-0x00000000005D3000-memory.dmp upx behavioral1/memory/1968-39-0x0000000000400000-0x00000000005D3000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aspnet_wp.exedescription pid process target process PID 2016 set thread context of 2600 2016 aspnet_wp.exe svchost.exe -
Drops file in Windows directory 9 IoCs
Processes:
aspnet_wp.exe9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\ETComm_New.dll aspnet_wp.exe File created C:\Windows\Microsoft.NET\Framework\mscorsvws.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\ETComm.dll 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File created C:\Windows\MpMgSvc.dll 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll aspnet_wp.exe File opened for modification C:\Windows\Microsoft.NET\Framework\mscorsvws.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
aspnet_wp.exe9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exepid process 2016 aspnet_wp.exe 2016 aspnet_wp.exe 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exedescription pid process Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exeaspnet_wp.exepid process 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe 2016 aspnet_wp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exeaspnet_wp.exedescription pid process target process PID 1968 wrote to memory of 2016 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 1968 wrote to memory of 2016 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 1968 wrote to memory of 2016 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 1968 wrote to memory of 2016 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 2016 wrote to memory of 2600 2016 aspnet_wp.exe svchost.exe PID 1968 wrote to memory of 2664 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe PID 1968 wrote to memory of 2664 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe PID 1968 wrote to memory of 2664 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe PID 1968 wrote to memory of 2664 1968 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exeC:\Windows\Microsoft.NET\Framework\aspnet_wp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2600
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system2⤵PID:2664
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD55a8088a81ca60f7d6b52dafef8106352
SHA191038034b8a3087d2b3b03c4240c1a84c1e6fd4e
SHA256a558403de957fb3ce765f5fab272db6d65b443ddfdc233ff1269dbe996a666dd
SHA512de4818b3221d16b062a0662313d86ceaa36312db0b99f7c4ceec496d3aaf2c89943182b590875185a410f97e272660660df6684a53717225ef2c5cbb49abd624
-
Filesize
328KB
MD588d73a37ae35e3b049b908e7b28a5c39
SHA12713a4bd792d0cb4afd6e3b43c7cfc2587989048
SHA256a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39
SHA5123d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5
-
Filesize
217KB
MD5962026a01cc9c058822bfa108393eaaf
SHA1bdc766094cc240782e10a0dfec8d420f3420d42c
SHA25648d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b
SHA512f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93