Analysis Overview
SHA256
f915c69847bca10f1e67339fcf45eeb3bd1b1a76fe2cd24586e0ee11cd2be6a1
Threat Level: Known bad
The file 04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Gh0strat
Unsigned PE
Program crash
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-23 01:43
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 01:43
Reported
2024-06-23 01:45
Platform
win7-20240508-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1936 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1936 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1936 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 164
Network
Files
memory/1936-0-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1936-1-0x0000000000400000-0x0000000000421000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 01:43
Reported
2024-06-23 01:45
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/812-0-0x0000000000400000-0x0000000000421000-memory.dmp
\??\c:\users\admin\appdata\roaming\microsoft\windows\templates\ver.dll
| MD5 | 9793623e4931e16384c58a0cebb0835f |
| SHA1 | f32e24effb1e0c8f03a76d0e7f26612abd4975b1 |
| SHA256 | f3019b4106c0ae396321cd27251a9f49e75670d392777fa06fa09dedb2f597b5 |
| SHA512 | fa701aaff9a655037a057c2bbe68f699eb7859ccbe2ad0da2b85fb1b54bdb663e1a2c3e1110d73da9cfb1b4779c7bb5649d050d03103be1833afb4b1abde08b9 |
memory/812-4-0x0000000000400000-0x0000000000421000-memory.dmp