Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 21:34
Behavioral task
behavioral1
Sample
009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
-
Size
126KB
-
MD5
009dfa5f6f8d806249c03e9d031866cb
-
SHA1
a4473c9d5590d1dd002710dc5b5864b42c97866a
-
SHA256
795dce5814389f1f04403f58aff53e9d65eb54088d61690dd5d0365c37bee5e6
-
SHA512
a11f7dde157add77b3b3ef1594dd16cb954495d8a6b5705467e0770799e573219c4951905f86eaac124c75815ac8b2e9d50c49491c0879567ad649aa526cdc4d
-
SSDEEP
3072:61UNGB+I0Oy8uIqn9X4rKttHkoIIuZkfiXqCYNg:61UQpu8Hqx4wKodkkqXBm
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule C:\1193700.dll family_gh0strat \??\c:\program files (x86)\uqrs\aqrstuvwx.bmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2740 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exesvchost.exepid process 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe 2740 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe File created C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe 2740 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 652 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeRestorePrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeBackupPrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeRestorePrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeBackupPrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeRestorePrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeBackupPrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe Token: SeRestorePrivilege 4516 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2740
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD53ba19d0b67c153989655eaf69aa56c16
SHA1b92bf687122ecef4205b6a38cdd41670886d349c
SHA256e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455
SHA512f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e
-
Filesize
99B
MD5b969039ae2d1718494adfd03aaf66c0f
SHA102fdec5293fbffeb669fa8e3d47018f24b35dc62
SHA2565a7589ee54fc142fa8506799b2be556ea492bfb41470972926a3a76cef945d9f
SHA5121aa20672525c7b45d742de8bd06e46417c0fda7fc25ec2f5a7200987325c63b3a77211e0d3354ee38df8c50c9276444f7646ba2149fd227af0af743b871f28e7
-
Filesize
767KB
MD500404d34965d36b8bf7a710212dab364
SHA112df3da635e2addbc2a27148b8ba32a24f407004
SHA256833272aa01945ea5e277b96b2d0c5504854e4d796b40297935842a00ebd19908
SHA512c2cb6ccf8fed1b94e28e0551dd45c25bb09bcb91a5c4e9c32bfccad6663db11bf2cd818bdb84e19b8abcba8373b321e0d74349405b34168d4263dca7bd570e00