Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 16:47
Behavioral task
behavioral1
Sample
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
-
Size
838KB
-
MD5
9edd0f7c7b63ad8b06e76d577cac71f6
-
SHA1
598c141d36be2079de2b6400312c1fbab7a4f016
-
SHA256
337b2a2898f89d83eb9810385b6113b722dc71c9e7192876116ae9cf66797d22
-
SHA512
bf3ab38c6a78507438e8ef26e793fd3bbc2482a865d6d03181f5a884e9351607c89d1af84ecdee1b3910f73f66ebeaf62289a213e55954d9b2b6ea5254184a39
-
SSDEEP
24576:wlxVBLnjH2ghBSV6V2/QYOc4/5oETPq7vx:wll72vKT/5tTCrx
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/540-26-0x0000000000400000-0x00000000005D3000-memory.dmp family_gh0strat behavioral2/memory/540-28-0x0000000000400000-0x00000000005D3000-memory.dmp family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\Microsoft.NET\Framework\ETComm.dll acprotect C:\Windows\Microsoft.NET\Framework\ETComm.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
aspnet_wp.exepid process 4988 aspnet_wp.exe -
Loads dropped DLL 1 IoCs
Processes:
aspnet_wp.exepid process 4988 aspnet_wp.exe -
Processes:
resource yara_rule behavioral2/memory/540-0-0x0000000000400000-0x00000000005D3000-memory.dmp upx C:\Windows\Microsoft.NET\Framework\ETComm.dll upx behavioral2/memory/4988-13-0x0000000010000000-0x00000000100EB000-memory.dmp upx C:\Windows\Microsoft.NET\Framework\ETComm.dll upx behavioral2/memory/4988-25-0x0000000010000000-0x00000000100EB000-memory.dmp upx behavioral2/memory/540-26-0x0000000000400000-0x00000000005D3000-memory.dmp upx behavioral2/memory/540-28-0x0000000000400000-0x00000000005D3000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aspnet_wp.exedescription pid process target process PID 4988 set thread context of 228 4988 aspnet_wp.exe svchost.exe -
Drops file in Windows directory 9 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exeaspnet_wp.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\mscorsvws.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File created C:\Windows\MpMgSvc.dll 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll aspnet_wp.exe File created C:\Windows\Microsoft.NET\Framework\ETComm_New.dll aspnet_wp.exe File opened for modification C:\Windows\Microsoft.NET\Framework\mscorsvws.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\ETComm.dll 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\ETComm.dll 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
aspnet_wp.exe9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exepid process 4988 aspnet_wp.exe 4988 aspnet_wp.exe 4988 aspnet_wp.exe 4988 aspnet_wp.exe 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exedescription pid process Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeRestorePrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeBackupPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeSecurityPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exeaspnet_wp.exepid process 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe 4988 aspnet_wp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exeaspnet_wp.exedescription pid process target process PID 540 wrote to memory of 4988 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 540 wrote to memory of 4988 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 540 wrote to memory of 4988 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe aspnet_wp.exe PID 540 wrote to memory of 444 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe PID 540 wrote to memory of 444 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe PID 540 wrote to memory of 444 540 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe cacls.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe PID 4988 wrote to memory of 228 4988 aspnet_wp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exeC:\Windows\Microsoft.NET\Framework\aspnet_wp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:228
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system2⤵PID:444
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD588d73a37ae35e3b049b908e7b28a5c39
SHA12713a4bd792d0cb4afd6e3b43c7cfc2587989048
SHA256a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39
SHA5123d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5
-
Filesize
328KB
MD5772489c1a202bb5430de2460f82dc8ee
SHA135b7dda980e4f54a9d86015fda6023301a41787a
SHA25626c805ddcd223e867fb915401b567d057980fb5b06bd9b9bc7bd77bee354f261
SHA5127544421da95ed6174ff0d63428faaba851a0af9c7988c465cb975cbafe421c5b2b22f5fda637755ba4bcc3bdc658a8696afbcaa8763af9e409dcbaa486d0a130
-
Filesize
217KB
MD5962026a01cc9c058822bfa108393eaaf
SHA1bdc766094cc240782e10a0dfec8d420f3420d42c
SHA25648d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b
SHA512f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93