Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe
-
Size
81KB
-
MD5
7d609aeabfc7d458ed11ecdfea396ac9
-
SHA1
90f22ed7b071aa0dec5f8b3e342ae00a72563128
-
SHA256
d1f3c56e5990591bbf45e5a6c03e3e8d4806c4ad1fd432adf172924ede1339f9
-
SHA512
50979e715166d64c66ee4caa68ab280f172fc0caaf51e405b053542a57db6b04048e2df78f37b56cd52f891b7c56a6a4ca149da1d170de9e6f916a93aae4e6d2
-
SSDEEP
1536:jXALnC0atiq+9Cc73McaTBFb0bJ+oa/xrpnHTlyojsjxNe22JjIHMt:jXh0hq+Yc7Hf4oa5r5sojsj+oMt
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2124-3-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral1/memory/2124-7-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral1/memory/2124-5-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral1/memory/2124-10-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat -
Gh0strat family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8C6453B3 = "C:\\Windows\\8C6453B3\\svchsot.exe" 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\8C6453B3\svchsot.exe 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe File opened for modification C:\Windows\8C6453B3\svchsot.exe 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
System Service Discovery 1 TTPs 2 IoCs
Adversaries may try to gather information about registered local system services.
pid Process 2624 net.exe 2284 net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe Token: SeDebugPrivilege 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2624 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2624 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2624 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2624 2124 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2284 2624 net.exe 32 PID 2624 wrote to memory of 2284 2624 net.exe 32 PID 2624 wrote to memory of 2284 2624 net.exe 32 PID 2624 wrote to memory of 2284 2624 net.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"2⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"3⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:2284
-
-