Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 19:54
Static task
static1
Behavioral task
behavioral1
Sample
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
-
Size
163KB
-
MD5
0039d222ef7f9efa1edd0fbb6f139776
-
SHA1
f5f8cbec874f5e63915336d63f7ee330fc1d1a90
-
SHA256
18c74194c77c1c5a201204d99a7bfde3a8d479f08963608639de96c19ce0b417
-
SHA512
7e659c6c4c5263d8cea5d98fe4a811878775d4a413608793a7c67b1ebd2a84422098ee85f3de5ecd1457badbaa5dc636536cfc1f147a9c827cabaf71b492e930
-
SSDEEP
3072:XbSMy0zCBVwYdOeKRMdh2nSGb+7j/a+7KbvaYbjY6VOp7yL3O/+6s56:Xbhy0zClOeYMdshb+7j/37KbvaYb06sB
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule \??\c:\windows\fastuserswitchingcompatibilitybeas.dat family_gh0strat -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\FastUserSwitchingCompatibilitybeas.dat" 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
Processes:
svchost.exerundll32.exepid process 3952 svchost.exe 4616 rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exedescription ioc process File created C:\Windows\FastUserSwitchingCompatibilitybeas.dat 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe File opened for modification C:\Windows\RCX3A5.tmp 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe 4616 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3952 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exepid process 4292 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe 4292 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exesvchost.exedescription pid process target process PID 4292 wrote to memory of 1548 4292 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 4292 wrote to memory of 1548 4292 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 4292 wrote to memory of 1548 4292 0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe cmd.exe PID 3952 wrote to memory of 4616 3952 svchost.exe rundll32.exe PID 3952 wrote to memory of 4616 3952 svchost.exe rundll32.exe PID 3952 wrote to memory of 4616 3952 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"2⤵PID:1548
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\fastuserswitchingcompatibilitybeas.dat, abcd2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:4752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5f935ac980f3d29f82e2be3e68593fdaf
SHA1cc8c6d9f9bdf0eee1681e90fee54b907390883cb
SHA2564bf21f324deb1549115c730ef290333ea0438f03a934fb119b862e961e765f53
SHA5127c04aa685ad36efac2c9fd637fc403b8085961358991f88506e51969f1eff300fc1bb0fb0c4ef8716686b8f1f0bdcf2e578c95c4d4defb9507c6c7bdee1f4599