Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 16:43
Behavioral task
behavioral1
Sample
6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
-
Size
127KB
-
MD5
6860e961f1f73b8e447e0f822302c1b4
-
SHA1
d749498e18900c16eeab95b2eb45e7247c40b4a7
-
SHA256
ad123861b9187aef26826170e978becf3bb4e4f3cc5d5e79ea21431b11ccb26d
-
SHA512
08773468e7d095b0f2b8fd2ec3ed935b26a0becdb0b831b1a7a92250e284fa9b3d5ef02c185e0c64909000f2330522072c1465a480e71bad92791e20f605a963
-
SSDEEP
3072:j7CaO7x8fC8t52oje+rKttHkoIIu6kfif20wNA:j7pON8ao6+wKodjkqfXC
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x00090000000233e2-2.dat family_gh0strat behavioral2/files/0x000d0000000233c8-11.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2072 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe 2072 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe 2072 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeBackupPrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeBackupPrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeBackupPrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe Token: SeRestorePrivilege 4972 6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD57a5449088bf5920fd891b438e6179889
SHA1337c0a27eadc4b1a6f7949dfb6e181508a33daaa
SHA256613b890500e680923769cd2dde4269562ac364bb949be166bf7cfb9a37941779
SHA5126e0b04bc13986c0f82413922a0d3854f7d87308b8fab2fbe9422f8554076bc90628abc1f772cfa4003485c10c0789826339a091bf9fe3e2167dffdd87350ef3a
-
Filesize
98B
MD5eee6a868acb51ae7b4c25bb6cc79f416
SHA1b6dd33b3e1af4f3ca5a7742a7aa09f18c3a3813b
SHA25626a954952faaafeee6e64bc458f92a7e4376d430d4438d8bd4c3b064af6636b1
SHA512b987609875e9202a86ea7e50dde68beaada67941916fa88d864c148a13a7b53d3821a9e663da41081984e637e07d7570a73ce90d3f56a08de0ae0922ae57dc34
-
Filesize
3.4MB
MD56f578b70079d7c78c8ed2f2026d07cac
SHA1ce4cd53286378e2daf4f50090c78abe831cc5864
SHA256a0208b4432f53a136a3236ccc08b7ce1de3f129caf35bb8e89be21789c4c4fdf
SHA5123f01c492e844283e4fccd3b1cafe8db3fb500cd49427a054c67dcec37af9ab6ab31ec6297acaaca0f2e25d4ebeed03b4a371cc03bfeb4a8d541783fae41c5939