Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 22:52
Static task
static1
Behavioral task
behavioral1
Sample
7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe
-
Size
168KB
-
MD5
7d055ccb42eb596df67022c40bd9f9c8
-
SHA1
4594ff62de294665eaf1d40ed5c01900151e30ef
-
SHA256
d7e1c7cd4ab384a7ee62e691d3551bfba693ab3e0d7876d8d976d04e67050478
-
SHA512
af2ac640b5decee17c374a00836f4daa932e1b0922f2e048a0a2c48fdb21297c538fea91ee68e34322055b96ec30aa1571bb08c7c4dff23a1bfc3ea1b30a8bac
-
SSDEEP
3072:J0U8dYKCjUTZ4A2+2YBVjYOZyG7+x7hcLxKl:a2jOZt2+2YnjYbquhcLxKl
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2636-4-0x0000000000400000-0x000000000042C000-memory.dmp family_gh0strat behavioral1/files/0x0004000000004ed7-3.dat family_gh0strat -
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\ntfastuserswitchingcompatibility.dll" 7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2832 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll.del 7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll 7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\d2f5ca0e.del 7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
PID:2636
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD53d199ef209f60d8cfb26af72f8fc3e7f
SHA14509774206ac3d59fce820ec65d732d03d13fce6
SHA25660f0d05f2938e1438b87ec4a85c6991e4592f0423a5643293bc93895fd3fd42b
SHA5120c39508395bf79a4a5ee63ecb82c2276b868ae24447ca48bcce1a76904a0cf0941fd520a32ea39e9aa77506d70b60db20723b7db2014440a6adc24e123adfc6e