Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 14:59
Static task
static1
Behavioral task
behavioral1
Sample
7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe
-
Size
184KB
-
MD5
7487bbfadde66edddf131b879382a9ef
-
SHA1
621299843ef9d362ded456a4114869c1b6763f10
-
SHA256
76e3126ddc11909250b1bcf4f7dcd53d2fa4c37f490e202d31326a94131a4932
-
SHA512
b2dffe7858853ef6c3f82312649bcca9ccfde34173853e4a94f4ec79a2bd2111a088766a5812755a95abb2401ab398fb393976772e6d934e7f1c0ede56a7d19a
-
SSDEEP
3072:R4OgRg6b0uaPWmgcnQqm7C9rMxRAxWm+H3VkENlz+B2OP5nTw1aIWeNn8Sl:R4Oc0ue9xnQqmGqA5+XVkENl6/PNCpWS
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\byqjx.cc3 family_gh0strat behavioral2/memory/2400-11-0x0000000000400000-0x0000000000433000-memory.dmp family_gh0strat behavioral2/memory/2540-14-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/3376-19-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/1768-24-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2540 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 2540 svchost.exe 3376 svchost.exe 1768 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\qkiqqhghmk svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\qkiqqhghmk svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\qtwjykifaf svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2268 2540 WerFault.exe svchost.exe 2816 3376 WerFault.exe svchost.exe 4792 1768 WerFault.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svchost.exesvchost.exe7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exepid process 2400 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe 2400 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 2400 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe Token: SeBackupPrivilege 2400 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe Token: SeBackupPrivilege 2400 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe Token: SeRestorePrivilege 2400 7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeRestorePrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeSecurityPrivilege 2540 svchost.exe Token: SeSecurityPrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeSecurityPrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeSecurityPrivilege 2540 svchost.exe Token: SeBackupPrivilege 2540 svchost.exe Token: SeRestorePrivilege 2540 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeRestorePrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeRestorePrivilege 3376 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeRestorePrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeSecurityPrivilege 1768 svchost.exe Token: SeSecurityPrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeSecurityPrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeSecurityPrivilege 1768 svchost.exe Token: SeBackupPrivilege 1768 svchost.exe Token: SeRestorePrivilege 1768 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7487bbfadde66edddf131b879382a9ef_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2540 -ip 25401⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 10922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3376 -ip 33761⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 10962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1768 -ip 17681⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
202B
MD5ada121158546303e9573255118a6d895
SHA1608651ef469e38f1866f60e04a5b96135ff2539f
SHA256ca039fc30bd64fc03be664860cdd0850d5e7485872388feb3750c39f11320b14
SHA51240c4781182662134dacf53b9cb09aa5eaec616d12b353d7027d7a69154771494d07bc02ee7ea669cbe4fb03a1df595f0b88416b074e02e29d2dbda9c3533b39b
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
303B
MD595c627453860cc7c3cfcda2fd8a00aec
SHA1f1f8bbffc4d62c84e2d437e60a0fec19b058a344
SHA2566921a8d03bc3896bc11b972ca13848757cca855e6f64558c8a692ba2c8ca6972
SHA512340911f794c161ac587ac7f7f2cb199185b48143c5fa8ddf500087bdaee8acba60077198c9089e70754db0305ea33701132d182e3a8cd29cf4b83ec3a7c0b82f
-
\??\c:\programdata\application data\storm\update\%sessionname%\byqjx.cc3Filesize
24.0MB
MD5f23779bb12366a62780e189c5b8f40af
SHA1a265a1c6b45f8b0b6bb3ca62be342b930389e8a0
SHA25691177fdaf26a4558248bf16b88871b498c71db14af9fd50140703cbf66579303
SHA5120ffd39b94095e41e8760a8db04707fe1509351230eba054cd7f6ae0ae86a0afe97ec82627203dd6530a3242bd9fac3c7016bcfd9e52d65f2f1cc9c26cb2d6b5e
-
memory/1768-21-0x0000000001DF0000-0x0000000001DF1000-memory.dmpFilesize
4KB
-
memory/1768-24-0x0000000020000000-0x0000000020027000-memory.dmpFilesize
156KB
-
memory/2400-1-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2400-11-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2400-10-0x0000000000540000-0x0000000000576000-memory.dmpFilesize
216KB
-
memory/2400-0-0x0000000000540000-0x0000000000576000-memory.dmpFilesize
216KB
-
memory/2540-14-0x0000000020000000-0x0000000020027000-memory.dmpFilesize
156KB
-
memory/2540-12-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3376-19-0x0000000020000000-0x0000000020027000-memory.dmpFilesize
156KB
-
memory/3376-16-0x0000000001F40000-0x0000000001F41000-memory.dmpFilesize
4KB