Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 22:06
Behavioral task
behavioral1
Sample
7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
-
Size
311KB
-
MD5
7ce256076e57d662a6e0b72edc562542
-
SHA1
e034d789ea2792780b988c636145e0d6378a624e
-
SHA256
052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271
-
SHA512
825e51d48d816f0754db6d2590a049be2e57ac41d399ac82a83029e33e9e05312e50a361db4fc5ca99d1cb7e175111d4c54cc46e1060ac1f2ef74b0b5cef3a39
-
SSDEEP
6144:FibDMGJyE51ZuweB+eqoOfw8Pka4qQM/83UZ0BckmxhK6Wf:YbBX5XmF8Pj3F/OUrkX6+
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2736-0-0x0000000000400000-0x0000000000427000-memory.dmp family_gh0strat behavioral1/files/0x001600000001626d-13.dat family_gh0strat behavioral1/memory/2736-17-0x0000000000400000-0x0000000000427000-memory.dmp family_gh0strat behavioral1/memory/2736-19-0x0000000010000000-0x000000001001E000-memory.dmp family_gh0strat behavioral1/files/0x002e00000001604c-22.dat family_gh0strat behavioral1/memory/2780-23-0x0000000010000000-0x000000001001E000-memory.dmp family_gh0strat -
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b00000001225c-5.dat acprotect -
Deletes itself 1 IoCs
pid Process 2780 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe File created C:\Windows\FileName.jpg 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe 2780 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeBackupPrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeBackupPrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeBackupPrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2736
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5a11638396cc03a0c5d9b884caf3a2f49
SHA1c8e7eee257e14e07c5e8c0e77b3ac60e607308a0
SHA256328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e
SHA512929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8
-
Filesize
6.3MB
MD513c90fe45c094ab94b9b59b4932d9b72
SHA1fbcc642e6d01e73b3a15fcaf85bf8726b4346279
SHA256fbfc2c293c2b404b95e36a465faf58533e645e7f6104b8ea37e20a7e2349a329
SHA512e6811bd7fc8495d4695c74fb49aea0d199bf938d78f8e9d1aa8294f7528dd5e0d391180596dd506b07656f1415c2b86f34091fb2bbe655adf3eb006425773954
-
Filesize
99B
MD5a979ea484d61a85dba13ecff470331c4
SHA133e436395aa6d706d1c2bd85d3d9a23b29487089
SHA2569d21a3d928ff67a542d0338e16ef9526fc2700da93fdb146d8550ab667e4e7e4
SHA5125ad2c6ffa2bdea4a38b5b0b718ca6cfa29f84b945baad47dbad50e23b0f054b97249875d85aa67063170ac458295ef01b604ebc811afb61e63800de50572f856
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9