Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 20:03
Behavioral task
behavioral1
Sample
0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
-
Size
127KB
-
MD5
0041e68c1e6e5894f3257688e898e8e8
-
SHA1
4e8a8bbd7d3a1f45e02505780da9079af5fdb89d
-
SHA256
6a552dc09ebd93d33e54831a3d0d1951b838a79df1e2d7c6fc73a1bbcb515ce4
-
SHA512
649852a2555d52cc37a7ba822cef75932fa2b03591e8a6696f6135f9b38ab187f8c975467006cd6dfa25e2cabe840ae64e2894ece0dcfaa5e94b30b9b75d0a29
-
SSDEEP
3072:17CaO7x8fC8t52oj2+rKttHkoIIu6kfif20wNA:17pON8aoi+wKodjkqfXC
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule C:\2950100.dll family_gh0strat \??\c:\program files (x86)\bwxy\gwxyabcde.gif family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4872 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exesvchost.exepid process 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe 4872 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe 4872 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeRestorePrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeBackupPrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeRestorePrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeBackupPrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeRestorePrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeBackupPrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe Token: SeRestorePrivilege 2944 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4872
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5756629819676fecd59d410cbd7e63ed2
SHA1a774b4a83ecea402c90665c8de0875f2b6eebb1e
SHA256598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226
SHA5128022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989
-
Filesize
99B
MD52c5cc22f8309bf5748f3ecaa4d9c2f44
SHA13d0f86e7818e0f7ecc44ec71e915b6764d005812
SHA2563da8012a44195f6dc84cd220f229b09332836c40a7ab6e3ec062431fb2a421f3
SHA5122f7630eb2e2ff714efeab1fd4f017738bb732560e118ad8f78592dc2563c478ecbc2048bced898a8e0f89fa7d5bd7b5138ed2b9cb573778fb13d3d6a36752dc5
-
Filesize
5.2MB
MD5cb764cb38be5290fac82d044633034e4
SHA15ff539693ba7664bb7551d2560187807de94401c
SHA256793ff674e5dc233df1955043e82f44692dbcaf6939c24d326810340e215ecc6e
SHA5122c9e2bb952ddc843c3cabdaf8652ceec2593f1e0bac7f480b8fb94e28fe7e641b587ac3cd9e6cd523935a16cc67039ef255bce916e294e5396c0863aed2b7d67