Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 02:28
Behavioral task
behavioral1
Sample
65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
-
Size
11.2MB
-
MD5
65ca6c2c69a5adac46a20810466d5b08
-
SHA1
844b018fec0bb6cf5b13e208950a05a64c8d952f
-
SHA256
bdf8fa18ea0694df6a62adea97d87f80569b4d5fe3944a991711cf28ba804866
-
SHA512
f3c049a14843ffbe12f674b78f81fb9ecd400c97a1c1b08e7b6f6aa447ad287246af40b76de207f65dbd0e28a35402e574931454038a3e6e2c0e8f42d26fb256
-
SSDEEP
3072:dnosptz46JhfIf/LPJKHUWyolm9FI4rEJqiFnQCdFB9HJ09VDLX:dn81ErgIq1UQCNa
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000900000002346b-2.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 4512 RUNDLL32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created \??\c:\Program Files\WINDOWSS.INI 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe File created C:\Program Files\temp0\QQ.exe 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe File opened for modification C:\Program Files\temp0\QQ.exe 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1056 wrote to memory of 4512 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 84 PID 1056 wrote to memory of 4512 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 84 PID 1056 wrote to memory of 4512 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 84 PID 1056 wrote to memory of 3844 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 98 PID 1056 wrote to memory of 3844 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 98 PID 1056 wrote to memory of 3844 1056 65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\RUNDLL32.exeRUNDLL32 "c:\Program Files\WINDOWSS.INI" main2⤵
- Loads dropped DLL
PID:4512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat2⤵PID:3844
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD594e32d7e317ca37c222de8e6fab020fa
SHA11bfc8cbcd461fff109fa601e68373667a07ba939
SHA25600faf578cee09ba2214fbdf80caef2e5bdf9f228b621227be5767242c1dcf911
SHA512e03bdc9e767e363a1d7f487210ba0918189a18d23114af16602da3c64b4365377c10b290c362d43a4be70d5ccbffda998d914c0db76d5a21a8d999bf558589ea
-
Filesize
10.3MB
MD5df7197357ded7d938abad18280d4dc18
SHA1a655b4f56aece1ebb3f4fec194374f5529f65d41
SHA2566e78fde7e91b99ef304d181a07eba24ee3a84b594b9fe0c5b1f36dc37bd31344
SHA51249993d9e76aa2585a5843f63285224ca0d450602f084c773335d210087ad9325ce4f769d137a6eb43b381f44caa65cb24242ff0dd6162947d34ed413d70022b0