Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe
-
Size
81KB
-
MD5
7d609aeabfc7d458ed11ecdfea396ac9
-
SHA1
90f22ed7b071aa0dec5f8b3e342ae00a72563128
-
SHA256
d1f3c56e5990591bbf45e5a6c03e3e8d4806c4ad1fd432adf172924ede1339f9
-
SHA512
50979e715166d64c66ee4caa68ab280f172fc0caaf51e405b053542a57db6b04048e2df78f37b56cd52f891b7c56a6a4ca149da1d170de9e6f916a93aae4e6d2
-
SSDEEP
1536:jXALnC0atiq+9Cc73McaTBFb0bJ+oa/xrpnHTlyojsjxNe22JjIHMt:jXh0hq+Yc7Hf4oa5r5sojsj+oMt
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/memory/1364-3-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral2/memory/1364-6-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral2/memory/1364-5-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral2/memory/1364-7-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral2/memory/1364-10-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat -
Gh0strat family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8C6453B3 = "C:\\Windows\\8C6453B3\\svchsot.exe" 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Default 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\8C6453B3\svchsot.exe 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe File created C:\Windows\8C6453B3\svchsot.exe 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2304 1364 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
System Service Discovery 1 TTPs 2 IoCs
Adversaries may try to gather information about registered local system services.
pid Process 3664 net.exe 3720 net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe Token: SeDebugPrivilege 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1364 wrote to memory of 3664 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 89 PID 1364 wrote to memory of 3664 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 89 PID 1364 wrote to memory of 3664 1364 7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe 89 PID 3664 wrote to memory of 3720 3664 net.exe 91 PID 3664 wrote to memory of 3720 3664 net.exe 91 PID 3664 wrote to memory of 3720 3664 net.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d609aeabfc7d458ed11ecdfea396ac9_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"2⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"3⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
PID:3720
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 6402⤵
- Program crash
PID:2304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1364 -ip 13641⤵PID:3368