Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 16:43
Behavioral task
behavioral1
Sample
6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
-
Size
127KB
-
MD5
6860e961f1f73b8e447e0f822302c1b4
-
SHA1
d749498e18900c16eeab95b2eb45e7247c40b4a7
-
SHA256
ad123861b9187aef26826170e978becf3bb4e4f3cc5d5e79ea21431b11ccb26d
-
SHA512
08773468e7d095b0f2b8fd2ec3ed935b26a0becdb0b831b1a7a92250e284fa9b3d5ef02c185e0c64909000f2330522072c1465a480e71bad92791e20f605a963
-
SSDEEP
3072:j7CaO7x8fC8t52oje+rKttHkoIIu6kfif20wNA:j7pON8ao6+wKodjkqfXC
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x000c0000000173e4-5.dat family_gh0strat behavioral1/memory/3048-9-0x0000000010000000-0x0000000010028000-memory.dmp family_gh0strat behavioral1/files/0x0009000000012281-12.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2316 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2316 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe 2316 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeBackupPrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeBackupPrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeBackupPrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 3048 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD57a5449088bf5920fd891b438e6179889
SHA1337c0a27eadc4b1a6f7949dfb6e181508a33daaa
SHA256613b890500e680923769cd2dde4269562ac364bb949be166bf7cfb9a37941779
SHA5126e0b04bc13986c0f82413922a0d3854f7d87308b8fab2fbe9422f8554076bc90628abc1f772cfa4003485c10c0789826339a091bf9fe3e2167dffdd87350ef3a
-
Filesize
11.3MB
MD512b4d966bb93b8479c5f2b7e340b9e5e
SHA16a6d559ed88c1f381ddee12c7dee439aa12b9b10
SHA2562acd741c49f571425a163784f2f73d1784c01f23ff021749b3c7cbbc5697edca
SHA512250b32b98675f008d1d0b1144369458ab5fd734e51968b709b16e320737d112ede0a8de668c9addad1563438f935f7585ae1f25d871b7b6938b0a76471aa1d8b
-
Filesize
99B
MD5d5fa9711b3dc04b24e8ed23fda47b976
SHA133f06af1ee9d27ce74da4004c9a7375210a9837e
SHA256da8161a2bf278a3de1f1207d40c2a87f9ddc33da6cda56866ee03a6c961b8d89
SHA5120b7ab0e50daf0b2adaef5e1d729d80c91ca9038a70ebaebd042c8abb6a458631041e5e8eec104592af0f4171774a52ee5013036256abe4de3c0a18e9bc68c9b7