Analysis Overview
SHA256
204004daa0a87485d00cbb49f98829ce0faed3476969a11712e0954676109c2a
Threat Level: Known bad
The file 098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Server Software Component: Terminal Services DLL
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 16:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 16:20
Reported
2024-06-24 16:23
Platform
win7-20240611-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mKF3Y2bn\Parameters\ServiceDll = "C:\\Windows\\system32\\lA02TF.pic" | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\lA02TF.pic | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1748 wrote to memory of 2284 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k mKF3Y2bn
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\la02tf.pic,main mKF3Y2bn
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a616713144.3322.org | udp |
Files
\??\c:\windows\SysWOW64\la02tf.pic
| MD5 | eb0282b182797da26ca1a56dcedcf411 |
| SHA1 | 672c3095cd7541ce05893f2b16476912a6b9c64a |
| SHA256 | 773968bfd1fb4ae0aea27f03bb5fc53e69ac595938f7c9dea05d0c56d8ef4a37 |
| SHA512 | 9dd0213e39ddc75b0e53dec66d77e0a606c427618ef94ec80b8b200f6351563448406a441d268e2f47d97b16d7e9bc56b64462d5ad436da20cad45cb1cd09259 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 16:20
Reported
2024-06-24 16:23
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
87s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dlM4IC6i\Parameters\ServiceDll = "C:\\Windows\\system32\\lA02TF.pic" | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\lA02TF.pic | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3976 wrote to memory of 4540 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3976 wrote to memory of 4540 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3976 wrote to memory of 4540 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dlM4IC6i
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\la02tf.pic,main dlM4IC6i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 436
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a616713144.3322.org | udp |
| US | 8.8.8.8:53 | a616713144.3322.org | udp |
Files
C:\Windows\SysWOW64\lA02TF.pic
| MD5 | 54daf2bd595ff53ae543ae9b648b26ea |
| SHA1 | 278c92cfd333d5ec8f0765e931ee17f8a2fede38 |
| SHA256 | 7796fcc228e573d1b3fb0f6b9517eca189cb2f6874ad60464ff368dec3fc6d67 |
| SHA512 | 2ea68766c34e4493ee2b7f9f5c213f460dfbecb714de4ebc88ebaea08ab5c061bf81ec433c7a43a7a09f4aacefab9c0b2712a2ad5885d807fcc0c644344740dd |