Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2024, 22:06
Behavioral task
behavioral1
Sample
7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
-
Size
311KB
-
MD5
7ce256076e57d662a6e0b72edc562542
-
SHA1
e034d789ea2792780b988c636145e0d6378a624e
-
SHA256
052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271
-
SHA512
825e51d48d816f0754db6d2590a049be2e57ac41d399ac82a83029e33e9e05312e50a361db4fc5ca99d1cb7e175111d4c54cc46e1060ac1f2ef74b0b5cef3a39
-
SSDEEP
6144:FibDMGJyE51ZuweB+eqoOfw8Pka4qQM/83UZ0BckmxhK6Wf:YbBX5XmF8Pj3F/OUrkX6+
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/3556-0-0x0000000000400000-0x0000000000427000-memory.dmp family_gh0strat behavioral2/files/0x000c000000023b7d-10.dat family_gh0strat behavioral2/files/0x0016000000023adc-19.dat family_gh0strat behavioral2/memory/3556-21-0x0000000000400000-0x0000000000427000-memory.dmp family_gh0strat -
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000c000000023b21-2.dat acprotect -
Deletes itself 1 IoCs
pid Process 880 svchost.exe -
Loads dropped DLL 4 IoCs
pid Process 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe 880 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe File created C:\Windows\FileName.jpg 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeBackupPrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeBackupPrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeBackupPrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe Token: SeRestorePrivilege 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3556 7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3556
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5a11638396cc03a0c5d9b884caf3a2f49
SHA1c8e7eee257e14e07c5e8c0e77b3ac60e607308a0
SHA256328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e
SHA512929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
98B
MD5c6bf54463aef440a5df8b34a0b3d1c0b
SHA1773e95f68e4d055577f4d2f3dcca81517e463fcf
SHA2568e18768dda394bf613fcc1449cdcb41feaa286682f4db3837552ed8b34a2ffab
SHA512333fae7557c2511b8b61d3b2ccb48f1c92307240c7ba64b62ca7318f191ac0b960f47af607c7123691da8437f40a52862a6c9b8d19da95789f617614ea6ab63f
-
Filesize
3.9MB
MD523a4a59f17d46fdaf1843d5ea2a005bb
SHA13b2da684fb2a39525e2b2b96c971e6657682b412
SHA256fdf6afac9b6a725b341f4f6084a3cc47da5c7027faef117552f26a54cc58e18f
SHA512e1f4ee055267c2ad458c03f5d5abd1bdf84a6e7f1e9ec214bc07dac804e4d6322074fd23ad8d9acdcabb7936465589a1e28188f4bd59ad4c2567b83419a8724e