Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 00:21
Behavioral task
behavioral1
Sample
7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
-
Size
134KB
-
MD5
7d3ed07df7fa59df87e75d2adcfb5181
-
SHA1
7dee2262bc70b31667e2f96ebbf6943d3fa2c6b1
-
SHA256
d4b9c9c3d53bb614bba05b7db0e3f2d06c7c328581019c617ecfb7953cecd277
-
SHA512
e324e3a9b60b39199a8e72b6fbad7364118607588a1bdf1f311180e985bec42bf5739ae5efffc2ab91f5cd9da257972291b75985f3a4181f6fba97556806db05
-
SSDEEP
3072:MMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwL5iGHeqovv:M3JVGpxx9b3wZuwL4GHeqo
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/files/0x0035000000015ccc-5.dat family_gh0strat behavioral1/files/0x0035000000015ccc-8.dat family_gh0strat behavioral1/memory/2684-9-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat behavioral1/files/0x000a0000000122ce-11.dat family_gh0strat behavioral1/memory/2692-12-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 2692 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe File created C:\Windows\FileName.jpg 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeBackupPrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeBackupPrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeBackupPrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2684 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD50f3d0a39f82e6ea8e7a38e2757e0ba8f
SHA1c751f50c0032a73c54dc9bf2e915d89a789fa0d6
SHA2563cc95a94fefb27841dfda8f8304c3a54fe3c0312b1026c5ef7fc346ce4a39eda
SHA5128152b0e91a1f4d2a8539b19bd41c2964bfda35cdf13d716cdd5fa78fcbea08c4e00972b2926c047a9e2c43fbe8fee750c9be751aff3ff93b13e1340536e0f6d8
-
Filesize
111KB
MD5dc77777b48685392e3d6a8bd20fcf98f
SHA1c3d40c4c0fde171e28de4e8550c80b5b5dd0e8ff
SHA2566fee9c68f4db18b378101a867d6322b4604f761a8716f3db4e1e89a4a07309a5
SHA512ae82093034ddc6bb1f5909fb5646242be6f6bdefe9b11044071ce20d0a406e63cb3bfbcc66824268bae04f46b6738de5eef4f0e564966bde0c1e9732ffe7ba4f
-
Filesize
98B
MD5d06706b4fe2418cf3c57d3e0fa69f191
SHA1f9badccd6de886f9cd5e88af62e9291c991f8851
SHA2567d91e04744e8ac984a9b38e0d2c1c1dbd466223868e8e935a24f4b33634429e8
SHA512f246266bbc77cc6cdb172742268edb51c653e0a9fe7a7cef69d2e38a9d945fb93aa15db65e75c2cd52e76ed1e8798b6316d7b13c00cce423964f1b48a2493f24
-
Filesize
19.6MB
MD56e7ce08b697f15b66487f4614a10a6c7
SHA109c830a5759b088e86c063b6e55b9b6ea6bb803b
SHA2563f9d134399e85e8c958e5fe7b3f7ffb29cdc5f1aa856f2210aa5bc9911fb4dbd
SHA5126ce27af339c58b8e2bbd051aeacd568e55fdaaa3e7b8c8ccc870ab3152d906c4879a156f304dc66e2a38f8bd0aee33febea56e4913a5d9e9ff424b99c8623fe2