Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 00:21
Behavioral task
behavioral1
Sample
7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
-
Size
134KB
-
MD5
7d3ed07df7fa59df87e75d2adcfb5181
-
SHA1
7dee2262bc70b31667e2f96ebbf6943d3fa2c6b1
-
SHA256
d4b9c9c3d53bb614bba05b7db0e3f2d06c7c328581019c617ecfb7953cecd277
-
SHA512
e324e3a9b60b39199a8e72b6fbad7364118607588a1bdf1f311180e985bec42bf5739ae5efffc2ab91f5cd9da257972291b75985f3a4181f6fba97556806db05
-
SSDEEP
3072:MMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwL5iGHeqovv:M3JVGpxx9b3wZuwL4GHeqo
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023c8f-2.dat family_gh0strat behavioral2/files/0x0012000000023b56-11.dat family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 1940 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe 1940 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe File created C:\Windows\FileName.jpg 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe 1940 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeBackupPrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeBackupPrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeBackupPrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe Token: SeRestorePrivilege 2984 7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD50f3d0a39f82e6ea8e7a38e2757e0ba8f
SHA1c751f50c0032a73c54dc9bf2e915d89a789fa0d6
SHA2563cc95a94fefb27841dfda8f8304c3a54fe3c0312b1026c5ef7fc346ce4a39eda
SHA5128152b0e91a1f4d2a8539b19bd41c2964bfda35cdf13d716cdd5fa78fcbea08c4e00972b2926c047a9e2c43fbe8fee750c9be751aff3ff93b13e1340536e0f6d8
-
Filesize
99B
MD591202ead1372f735e58f7695d1f484d5
SHA18219a0c2e5679e4a5f2739f56eb5ad4b6f2357f6
SHA25603d3155c60164c8c9a88591c24f6f44c1a2a21a3d2bfbdb80f801c6449263b34
SHA512b4957694128c3258799f9b4b2098746f381bf008e160db5793081b757b1830fd378ca519f90abd51da19f0a2ff726a01cd3f021a49c063b847b5846453196529
-
Filesize
7.5MB
MD59e7735878e330566435800a1215a04ea
SHA16ccac55f336f90d835f4ededea1b4854a4d41041
SHA2567a0151287307563b75e9781e4192c2650164ccd048511215ab9a6237f45c06b4
SHA51292e68f3a60f08f063c08b38c425d4c1f9cf398fcf256571a44acc308f3c5a417567b33608ff6d70aa73fcad0295c6205e1cae098ca14503d58160383d49f87bb