Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
-
Size
197KB
-
MD5
81a67bf2a59b953f9c0f0204b2e1f3a8
-
SHA1
a680768c148b963a6b605f3ee53a1db7b77a5e4f
-
SHA256
21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6
-
SHA512
2ff6b45b26db7665ce46b024aa6c2b1db14826bf9a83440ebef194f537fb0b9358a2e85b50d3df703bc9c63096ec1ba5caa49cd8d034eec01f80a7810fd26074
-
SSDEEP
6144:nOVLnWFcxFtsFkVRTl0QdTmNPPYhnUeqP4:n8LWFc+kV1KIo+PY4
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000016d31-2.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 3 IoCs
pid Process 2328 svchost.exe 2032 svchost.exe 1896 svchost.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\StormII\%SESSIONNAME%\fxuvo.pic 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2464 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2464 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 2464 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeBackupPrivilege 2464 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe Token: SeRestorePrivilege 2464 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2328
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2032
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k regsvc1⤵PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22.1MB
MD5c16a736dcb64ae6c3733d3fc24141a7e
SHA16131ea6281d24ac7f8561b75fac0470943ef1fa8
SHA2561d0cb4ae7bea1b698e1f964209bec829fcd0752de88692831b4dcc483b3ce3e7
SHA512d6d97a42d07e39c9370786c378396449e896a28b1ee0788d38926bf9180d280093cb8377614487b144f29dd6d76245456a2ada8da9ff2439e2acaf2a81598edc