Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 23:00
Behavioral task
behavioral1
Sample
7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe
-
Size
130KB
-
MD5
7d0b60d0835c3add992af1524c4dec8f
-
SHA1
9765eff5f65679692c050c773c60f90fc23c02f7
-
SHA256
edfdb2154972ef6d6975ea991e518c70fca4b0e3cbf5232da271d8d0cf75d849
-
SHA512
505f7982b983bdc9d323af7f0827da1188adbb7504e287221a5ede7aa3de433aeb0dfa0b89630c58774dca573a58acc71041b87501181e07d6b494bf16b660ec
-
SSDEEP
3072:tZIezg1BjA6nNgPm4eaSbL3efn2OMO/M2RQ:0ezg1BjAQNOOb7GnoO/q
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000017429-1.dat family_gh0strat -
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\360safe.dll" 7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2100 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2100 svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2492 7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe 2492 7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD57ef6dab74ee4b2a2d27a0bea76adc2e5
SHA101764a576c2823f40746e48a060d73cf3408d501
SHA2562f1b66ae6495ed7a44e39b93ea06995a223f2846641501fb03c07c8d5d0c960a
SHA51285ae2d911b827db3b655db157744eae3532657a4218c70d7c80b44404b8179a3c3b1763d725eb511971e29c74b0b69e158054a3746fc47d0e5bb498b9781aa2d