Analysis
-
max time kernel
145s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 03:21
Behavioral task
behavioral1
Sample
3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe
-
Size
206KB
-
MD5
3784650d6e2ee105f1b3d2ae90052e0a
-
SHA1
ce3f6b0056fca8b259eb118403153b7e3517c859
-
SHA256
a5edb9b16066ce23ee708edb76a496ebe32d20638c3c7131893209fb615e9f06
-
SHA512
180166b7ff303931a79f89432eb4586643bfcebcc6737c62f0152be2dd4f721aeebd31f5d590ecca026ba742b34e95c09a33b34cfd80f48d8b938eb9cc063ec5
-
SSDEEP
6144:lsIt6nWEQgBTyPRqyhYPbOcTBlhHrNndnkv0y:69WEQJq8YPbOcT3Ul
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
resource yara_rule behavioral1/memory/588-0-0x0000000000400000-0x0000000000434000-memory.dmp family_gh0strat behavioral1/files/0x0007000000012117-6.dat family_gh0strat behavioral1/memory/2796-11-0x0000000000400000-0x0000000000434000-memory.dmp family_gh0strat behavioral1/memory/588-12-0x0000000000400000-0x0000000000434000-memory.dmp family_gh0strat behavioral1/memory/2796-13-0x0000000000400000-0x0000000000434000-memory.dmp family_gh0strat behavioral1/files/0x0009000000016de1-16.dat family_gh0strat behavioral1/memory/2796-18-0x0000000000400000-0x0000000000434000-memory.dmp family_gh0strat behavioral1/memory/2416-20-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 2796 hirevnuotd -
Executes dropped EXE 1 IoCs
pid Process 2796 hirevnuotd -
Loads dropped DLL 2 IoCs
pid Process 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 2416 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\pselwyohyb svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2796 hirevnuotd 2416 svchost.exe 2416 svchost.exe 2416 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeRestorePrivilege 2796 hirevnuotd Token: SeBackupPrivilege 2796 hirevnuotd Token: SeBackupPrivilege 2796 hirevnuotd Token: SeRestorePrivilege 2796 hirevnuotd Token: SeBackupPrivilege 2416 svchost.exe Token: SeRestorePrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeSecurityPrivilege 2416 svchost.exe Token: SeBackupPrivilege 2416 svchost.exe Token: SeRestorePrivilege 2416 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30 PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30 PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30 PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30 PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30 PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30 PID 588 wrote to memory of 2796 588 3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\users\admin\appdata\local\hirevnuotd"C:\Users\Admin\AppData\Local\Temp\3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\3784650d6e2ee105f1b3d2ae90052e0a_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.1MB
MD541ae7b5237f0c3a7a39fd57980b7f9b7
SHA1dd59d74c737a842bd6298c1f9ab10ba83b4284e4
SHA25623b1c1ba32f9087cc584f44367a75b52490adaf21448e1280d6ea3a31bcf8dfd
SHA5128220a7e07fcda05e4e6b55da5e565e39c8e5c22335224dc75d51b5d53e7952e8d2993431efc48b01c632fe63efceb34bb21b07eee838dd7e36ad43e9b7bf75e2
-
Filesize
20.7MB
MD5b64f2aca3bedf8fcf9ddea0d608dce0a
SHA1b294dd1838671bbfc2bc0817b3272abc2218fdcd
SHA256169422a64005266ace7446c0b43e6eb921bc6ad6405db994ec0e3212d7cba990
SHA512619463078c99c059ee05fede4de9f49c886b0c3ef4a7ba3fe264d0f0fa8041b7e37d7e1dfb6b50fc695e0d8353daf3f0efe6311849beee6d73adadf2e1a1608b