Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 19:54
Static task
static1
Behavioral task
behavioral1
Sample
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
-
Size
163KB
-
MD5
0039d222ef7f9efa1edd0fbb6f139776
-
SHA1
f5f8cbec874f5e63915336d63f7ee330fc1d1a90
-
SHA256
18c74194c77c1c5a201204d99a7bfde3a8d479f08963608639de96c19ce0b417
-
SHA512
7e659c6c4c5263d8cea5d98fe4a811878775d4a413608793a7c67b1ebd2a84422098ee85f3de5ecd1457badbaa5dc636536cfc1f147a9c827cabaf71b492e930
-
SSDEEP
3072:XbSMy0zCBVwYdOeKRMdh2nSGb+7j/a+7KbvaYbjY6VOp7yL3O/+6s56:Xbhy0zClOeYMdshb+7j/37KbvaYb06sB
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule \??\c:\windows\fastuserswitchingcompatibilitybeas.dat family_gh0strat behavioral1/memory/2644-6-0x0000000010000000-0x00000000118C5000-memory.dmp family_gh0strat behavioral1/memory/2304-7-0x0000000010000000-0x00000000118C5000-memory.dmp family_gh0strat -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\FastUserSwitchingCompatibilitybeas.dat" 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2620 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exedescription ioc process File created C:\Windows\FastUserSwitchingCompatibilitybeas.dat 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe File opened for modification C:\Windows\RCX65E4.tmp 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2304 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exepid process 2248 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe 2248 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exesvchost.exedescription pid process target process PID 2248 wrote to memory of 2620 2248 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 2620 2248 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 2620 2248 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 2620 2248 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe PID 2304 wrote to memory of 2644 2304 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"2⤵
- Deletes itself
PID:2620
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\fastuserswitchingcompatibilitybeas.dat, abcd2⤵PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24.8MB
MD57064390e507841e391c8403387ca9730
SHA1ce2938c73839afa306ae23f396f6903069b52cda
SHA2565884174ca023dabbab7ff99d4a06939ff889a05c0bb0faa94a68b36b3fd9ce2d
SHA512d1680af228727f6c4cc3287c43fb4349ea358f0afdc5de5e02ccc000be206e868c14c7809fee40edab4e6ddd3b43b225a1315bd904192c764f747ec84045f1c8