Overview
overview
10Static
static
10686c5ba05c...18.exe
windows7-x64
10686c5ba05c...18.exe
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10CERTIFICATE.dll
windows7-x64
10CERTIFICATE.dll
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 16:56
Behavioral task
behavioral1
Sample
686c5ba05c4e8508f857855b96de1c58_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
686c5ba05c4e8508f857855b96de1c58_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
CERTIFICATE.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
CERTIFICATE.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
CERTIFICATE.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
CERTIFICATE.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
CERTIFICATE.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
CERTIFICATE.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
CERTIFICATE.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral16
Sample
CERTIFICATE.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
CERTIFICATE.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
CERTIFICATE.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
CERTIFICATE.dll
Resource
win7-20240705-en
windows7-x64
General
-
Target
CERTIFICATE.dll
-
Size
105KB
-
MD5
8b9545d61d9a5a00d8814d25d45f48d0
-
SHA1
6cea17c9c7a94145193bd68323d9a3f2106e37e7
-
SHA256
209c3a320b248b4692b95326158b116456104e54005190c729dab03dd5581314
-
SHA512
55359c0f593e0b6f2c578f2017b5aa1c5f36a452fa52869689ce71069371233177680d72a0647ee39721f3747599ac236173ddf7d2cd3536bedc9301a9fa4dae
-
SSDEEP
3072:uvBKS+26Y8zoz4EfZRzUKR/F4pEIbybZuwy1Uq:o8tA1fYmFEX2ZuwyC
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral13/files/0x0009000000019412-3.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 1320 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Jrju\Pcvdijydw.jpg rundll32.exe File created C:\Program Files (x86)\Jrju\Pcvdijydw.jpg rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe 1320 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe Token: SeBackupPrivilege 1788 rundll32.exe Token: SeRestorePrivilege 1788 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30 PID 2988 wrote to memory of 1788 2988 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CERTIFICATE.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CERTIFICATE.dll,#12⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.4MB
MD5199cf1fcba57fe9905f1ba88c6a4f4da
SHA10d30737c3f33af44d41f31b867584a7fe80eeb6e
SHA2568a8f3b1ca1e303d59f96e67f0f9ff7eb78f7de4f0f403974a970cbc882a0fb57
SHA512f556a5476ededcf2b57269cf8f2ad6dd89bfb3525cb43843ac9ad96289d3969159c065c2c2d26d6caae7ca9f553936fe18f961f6b0e2f69718c12627a7fe9f3f
