Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe
-
Size
95KB
-
MD5
4a6ee7aa6ca06a659c4ff203a49aaee1
-
SHA1
8c7ccb9bb38e677dff882f2215550221c42c42b3
-
SHA256
fb96749e82468a71f853f561482faac7201aed43021ce97f6dcdd6a6e5b4e9ee
-
SHA512
c94053b3952016f4fd1c4195641ef7c6ccf34f266ae1df516a7d765bbd48433a726f1d2bca41fc88f0ad502b54e0afa89be4cb7042222d42e0246229146a514b
-
SSDEEP
1536:NPFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr4KobKbCkun6fQ:NZS4jHS8q/3nTzePCwNUh4E9toyCku6I
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000b000000023b7d-14.dat family_gh0strat behavioral2/memory/1236-16-0x0000000000400000-0x000000000044E5F0-memory.dmp family_gh0strat behavioral2/memory/1324-19-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/1532-24-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4936-29-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 1236 keidcgotgx -
Executes dropped EXE 1 IoCs
pid Process 1236 keidcgotgx -
Loads dropped DLL 3 IoCs
pid Process 1324 svchost.exe 1532 svchost.exe 4936 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\hrjynemgce svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\hiuffbjioj svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\hrjynemgce svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1012 1324 WerFault.exe 92 64 1532 WerFault.exe 97 2184 4936 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keidcgotgx Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1236 keidcgotgx 1236 keidcgotgx -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 1236 keidcgotgx Token: SeBackupPrivilege 1236 keidcgotgx Token: SeBackupPrivilege 1236 keidcgotgx Token: SeRestorePrivilege 1236 keidcgotgx Token: SeBackupPrivilege 1324 svchost.exe Token: SeRestorePrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeSecurityPrivilege 1324 svchost.exe Token: SeSecurityPrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeSecurityPrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeSecurityPrivilege 1324 svchost.exe Token: SeBackupPrivilege 1324 svchost.exe Token: SeRestorePrivilege 1324 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeSecurityPrivilege 1532 svchost.exe Token: SeSecurityPrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeSecurityPrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeSecurityPrivilege 1532 svchost.exe Token: SeBackupPrivilege 1532 svchost.exe Token: SeRestorePrivilege 1532 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeRestorePrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeSecurityPrivilege 4936 svchost.exe Token: SeSecurityPrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeSecurityPrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeSecurityPrivilege 4936 svchost.exe Token: SeBackupPrivilege 4936 svchost.exe Token: SeRestorePrivilege 4936 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1236 2236 4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe 87 PID 2236 wrote to memory of 1236 2236 4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe 87 PID 2236 wrote to memory of 1236 2236 4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\users\admin\appdata\local\keidcgotgx"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\4a6ee7aa6ca06a659c4ff203a49aaee1_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 10602⤵
- Program crash
PID:1012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1324 -ip 13241⤵PID:4576
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 9202⤵
- Program crash
PID:64
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1532 -ip 15321⤵PID:1432
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 8722⤵
- Program crash
PID:2184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 49361⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5001716964717315f80ccef7d40dc711e
SHA1ca321b2af04b2c682ef097d0593e45e28c8ecf25
SHA25697184e87435d9de480111c3127671f4e267cadaef96d033ea1cd6c7276b0fa09
SHA512fb0e0a59a68fee371b1476c8ac206523451c54d4d72a1175a6e7dc5f5963fcee1429a9091feea1e63c3dd3fb07bb2aa9666ba9cbda20da2fb4f31f7a8e5c5a08
-
Filesize
309B
MD5d2b54ce0bd5ee98c4926aafee7d1be76
SHA1dfbfe1990c5bfa97a2c141a35a083c97477ca6e1
SHA25620332f0815ef2a968154076b3ec5357ba10bc814a256d0a35c6008e70c0bf424
SHA512ba05839b2c10e99d2e17de7c307bb28229857323bdcbe7daf277b1c0d50762db3d25d759a14106fabf61f3678e8acb483e1c5e53f3e3aae4cbd8632489047782
-
Filesize
19.0MB
MD5129cca7c2b978b6b3038b13f20055f85
SHA190839572dcd475fea5ae074b6c96c47695e856e8
SHA256ac81f6bf834f3acd493350d94c251b5845ffd162794a58df07683a2c9264a092
SHA5129eefc92053f3298f827e1d964601e753df28c9f955847603dbc484730f77e2f3a90baeb7761af682d043e8af1e6ea9952ed069294c42c5ce682239eab88bbba6
-
Filesize
23.7MB
MD5af9230ed7bcc824a2386f73b7ecea80b
SHA141ed7aa9944e6d5257854d0b6eb10560e71a37a9
SHA256c85100def54e4d61dd8a4a2cd6a739c8c539cf16a7c2a6e9d4c5158d98af2aa4
SHA512463c86b4e8e990a3b4a94a948570a336767d1270d68a786c58c6ff020b1061bdcde3843264b1957c5a0a3043fefeb65677db3348aa7f32fa2074333e1b739d72