Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16/07/2024, 06:22
Behavioral task
behavioral1
Sample
4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
2011528135322.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
2011528135322.exe
Resource
win10v2004-20240709-en
General
-
Target
2011528135322.exe
-
Size
204KB
-
MD5
1a24c5e8b0653ff5c5033c1970af459a
-
SHA1
eeaa099ef42414aaf4f7c48618cd66a6e2ba9e37
-
SHA256
779ba65f8947c9206cade7b181683380da0ef1b12a1a8de5c2e6c00d53574e9b
-
SHA512
006478b5fae5964ad5ede2b3277fcccfa54de68dff768110b7fb9ab184baa2b714d1d44717d3f760f480fbe1ec48f4e7e569dc030d073da7241825468d552f15
-
SSDEEP
3072:YqVYtrjsN9NhlcOAeT4WWDQ8KKwirAKVd8R8httUH31:FKtnsN9Nvc6DWECwyXX8RM831
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral3/files/0x0007000000018f3e-1.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2832 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2364 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2712 2011528135322.exe 2712 2011528135322.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\V2011.exe svchost.exe File opened for modification C:\WINDOWS\V2011.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2712 2011528135322.exe 2364 svchost.exe 2364 svchost.exe 2364 svchost.exe 2364 svchost.exe 2364 svchost.exe 2364 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2364 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2364 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2364 2712 2011528135322.exe 29 PID 2712 wrote to memory of 2364 2712 2011528135322.exe 29 PID 2712 wrote to memory of 2364 2712 2011528135322.exe 29 PID 2712 wrote to memory of 2364 2712 2011528135322.exe 29 PID 2712 wrote to memory of 2832 2712 2011528135322.exe 30 PID 2712 wrote to memory of 2832 2712 2011528135322.exe 30 PID 2712 wrote to memory of 2832 2712 2011528135322.exe 30 PID 2712 wrote to memory of 2832 2712 2011528135322.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2011528135322.exe"C:\Users\Admin\AppData\Local\Temp\2011528135322.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exeC:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat2⤵
- Deletes itself
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c278bb1ed716377a08b995ff7d9cab5c
SHA18292efb97a4e48579adc419172c9d3340226252d
SHA25668ad3c8b3074a09adea23fafb51cf367f6297c1de626b39925294cc492bd36a9
SHA51282f524ba37fc9d29a04bc1c438624da52f3a365728d417e0c2156806088fc29256ab5bb5d9933580aa17189a55cff5021859311b60c415ba45e85fd13bf2ff9f
-
Filesize
204KB
MD51a24c5e8b0653ff5c5033c1970af459a
SHA1eeaa099ef42414aaf4f7c48618cd66a6e2ba9e37
SHA256779ba65f8947c9206cade7b181683380da0ef1b12a1a8de5c2e6c00d53574e9b
SHA512006478b5fae5964ad5ede2b3277fcccfa54de68dff768110b7fb9ab184baa2b714d1d44717d3f760f480fbe1ec48f4e7e569dc030d073da7241825468d552f15