Analysis Overview
SHA256
21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6
Threat Level: Known bad
The file 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Gh0strat family
Loads dropped DLL
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 04:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 04:31
Reported
2024-10-31 04:34
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Loads dropped DLL
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 600
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 696 -ip 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1488 -ip 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1000 -ip 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 828 -ip 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3656 -ip 3656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 688 -ip 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2572 -ip 2572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1724 -ip 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2908 -ip 2908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1292 -ip 1292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 600
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3308 -ip 3308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1352 -ip 1352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 604
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3760 -ip 3760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 572
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1640 -ip 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 600
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1908 -ip 1908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | e5790c9d694995eb65d1ae7b582a3642 |
| SHA1 | 2295fe5640536ce6fd56050d4a55d61cf7d84d20 |
| SHA256 | 083bf7a33394df14c8afb129c31a3bc325d144f9096a7546e0d6195ce20a61eb |
| SHA512 | 8af9c80d96c68c11635d910ce60cfcad6378c318f0eaca75fe625b310ae0ee0596fecb012ca74df028aeabd34f840aeedb3d10254e1a0bc904eb094359b0e36b |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | d00e951c26a08be1872143d005418897 |
| SHA1 | 3330f3c1b252730ee031b8201e9e36faa15e5982 |
| SHA256 | 5566d2a16b0ae69c351ffd0a6fb52d3f66e1fd42046ff4b1412fa14f059f3384 |
| SHA512 | b85b056034c5499e9b7431f7658492e9577cbbd148631aa3d3a6e3aa2feca1fbdbb0c0b72ea3304fef9afacface3f4dae87385b143f0d11a3123f1601d34b5dc |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | 09d5481f0453125d447bcfdb927f0b83 |
| SHA1 | 341243b3b523d525b59e6dfa889e09ce797ab917 |
| SHA256 | 04e81170784885963b0719793f804dd7ebe7f125ab58629ceb526edfb9db1735 |
| SHA512 | f8182eb3d3a813ffabde59aef87414e25ac74fe679fe14c2b16e79a4a3b1e496636bfaf5fb309ec0bdd2313b49fd93e344f144fef1e17aa605a9253bcb79f3dd |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | f6d462095763613c7244f03bf5e096eb |
| SHA1 | fc30a4bb6d6b3b843835d30df288980cf9cc1a50 |
| SHA256 | 0223b8a2641ac1b3e912594ceafcd173f5309299e88204d7f0e4020f2d1ec6c2 |
| SHA512 | 7eed545209897c1a3ed597f0c14ee1ad85a530cf0058b950304c2cfce653d0646025b485f19f0c75d7d1125705f735a3c9aa45b63398d1507e7bbcaddc636559 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | 7edd50a0fd68c825c02c035f45340d21 |
| SHA1 | eecb86a1355c5acd63f1dcdd1e1ba3cf6353f2e1 |
| SHA256 | 3443d45e8c424f97703245c0e07ea478467bc2f3a77e5a2e46ae53a0b7e82a1e |
| SHA512 | 5e65400b518735263b76c622c88dd8f366e03192883954363e7e613b9a110029138848148116f5d6cb46c99d434c870dce78d4a253d2255248e6f3c862c42653 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | e92e3bcef586319411d591b578e9ae8f |
| SHA1 | c232a6eb6aa3a91f288b73388dcfb01537735e86 |
| SHA256 | 496427694f4586adc57d9eaadd4be55db978df7aa4545a4c8e9b4c772b67fd3d |
| SHA512 | fa2b7b6e1eabcc216e229d168dbf0bcd3d53f252edb9075c5eb8f868bb0c129aae65a905d72bf9c73435cfc3eb0e30c80c53f66960baf6a635d30bab38127312 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | 88cd2aedc28a070bcf311ab25779a725 |
| SHA1 | 077f3b100a2abcbdb39b068b547921d15ded7722 |
| SHA256 | 2f84a24f561f75420f10e2ebd77edd0f8e15e0c8bb59f6d703c3129dc64de298 |
| SHA512 | c52f83627ba34271e88b5c573bedb5b0c8949d9790ebd97ed0caf55db0d6f12a8991bc0a1c5ed1d77479ec9e6336cfc4ee32e3a31512df34e285890de9224294 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | d7f20b7d821f244cdad277fc906229a4 |
| SHA1 | dea7ef8baae7b7080a760acc94d6c553a6ee407a |
| SHA256 | 77b484f9ac31b4e1e8df5158dff2ba37ab3a4037e28597ba772c13bf7f502417 |
| SHA512 | c7af461c0275b14965847dd8c4961bd85d5ada18e23866cec1dc02a5b43bfecc087e7c7955bf39adc05f221dfe4a6099b94d0fb6acb47ee7809e626b053c8430 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | b552eeec2afb5f1619701856c70e8ea9 |
| SHA1 | 5991137d65c2da2ef839a9ef8c091b7424f4ae55 |
| SHA256 | b7fd720b3dde68cebb19180814117be025bcd0b71dda67a091e664fe80275dcf |
| SHA512 | 53f637cd54a5d6a30da608e689b8a9071755f00c8714b653025c942302160a37ff1dc17590024859cd7ed2d91a34eab8a595367574a44fcefeb145948eadd7c8 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | 3f0052f17e264cf849f3c9ea3128ad9b |
| SHA1 | 40b3b67addb0a5345648d212e56a532f2a006239 |
| SHA256 | 3e5ea6fdb31c675c09f08257229c5811cb1f1d32f4fa0559d2ebf597c24932af |
| SHA512 | 03e88f1278d4b8d1099db547aefae919d00cc3d450ca390e2b73380e30dc20ff0e5ae6092c1ced02612753ae62a73de4191b0613ad391b8f37dc0783a096e049 |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | 48f83d482dcd1d6a4cb4462bf694b631 |
| SHA1 | 515051749d3e095403c60c06db542502ba0bf0f3 |
| SHA256 | b2c1a6b176c916bf0f34e900bf130f60c7953f0d631bf3c8e7d6aa859f3a0567 |
| SHA512 | 321bdea2347ba403d8a98515f29f579dfc40fb20140a4ab9889cd25be58efd9c40d21cfbce843aab2cfe591ae2db16540a2c5af2168f59e7fc577be0705793aa |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | 3c699587f51a6182334af64228701d66 |
| SHA1 | 58e73f623448a8ae739902b4a651286013f689b9 |
| SHA256 | 33f826fb1fce35eaef0cd6aed7725b02e652d217aa76135d80569b0fdeb92ffa |
| SHA512 | a975cbad3db8a1ea1fd3570fbaf26c98645da75439766faf4db6ac3cd5729a337d304313d44d308bf49a06be6cc18a41fd3abdf9716e6a3df7aa0a73410dccae |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | d2113ebe12373f7bbc82590a4eec78b6 |
| SHA1 | c887fd1ad065d9db4f52235ab82164f18bce97f7 |
| SHA256 | cf62499f848a5e181a9f1657b38a75a688ad4c1f7e1286ac3ce91e32642deb14 |
| SHA512 | 11b83e39ed52437aaa473914e71fbe552211dd480ffeb9325125f869d2c22d31d21459a4db6ad20f4765fc1e7d95b01e60dda8e8229db9d32042f0acf08e66bf |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | 744a9d84b2b399818c6b9e4cd277e8ac |
| SHA1 | 2a47ca35f641866994e6fd14f781b9664700fa86 |
| SHA256 | 7832b405b498dd9026cc33676f874b2b7e75e8d9d6020126a1b1a8e73057ad85 |
| SHA512 | 591f552138e4fd42a4d2d8a2e11e7b7c407b83e692f5a7fe4e9b2a803b28719240a79fa020d053a2d14d558d85845be0574b98f03217d2db23557864a3f65a54 |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | f98e5d2d4727e46f2d97d3ea9815fbe9 |
| SHA1 | 26cdbc40e69e6b27cda7ce2bcd56248692780b9f |
| SHA256 | e22c6b3515013940ef863e29a31a846a15e28dda4a2900a50a6e2e17ee23886a |
| SHA512 | 0bae853ecc0346d242dd7c2920aecc2c58ef0c1cbcac1ecea777ba4f41557f718ec9c7e1608381e5e255c03e37f4f9167b077287f805016dccaa0d37218a67d6 |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | 4bc24b415a3878dfdeb5bd4c156e4c4e |
| SHA1 | 0b04e1c192decee2a319408dbfa74eb491984ba1 |
| SHA256 | 5318d606493c88a1c2dc54f2895841e216d30ece2dbf0f58b4b2ee5157c1b3fe |
| SHA512 | 79509fd9b3f498d55e26cc347c3319fd558fefad0399fa83702732c6994d521d2bf1f6bbed4af46edcee8d2c4b1d82c8367ec481bbaba95db0012e6b7e5927d4 |
\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic
| MD5 | 6b58acf5ae439fd5c732e09d786bf1ea |
| SHA1 | 1030327b631ade4590954ed6ede90f26e5b34182 |
| SHA256 | 4f81c06183c190b2ea92a26832a06fae715e24da089aa2cf91e8904b25d8deb0 |
| SHA512 | 8f153621484f82abfb4badf1caf19fb8372aa604d7f2b6ef25c82968e07b7597ebbe00884568d84095523679043c5860b888a65447613164a6687d5fce78a0eb |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | 3918a4b6a6c04df4ca6440e8fdb55c46 |
| SHA1 | 2e6a099715a323dd943ee5c9f24b11cdf3818927 |
| SHA256 | 6581b00321f9f20912f2b8655a3653fbfc063c49fb0e75c39b63fdc2fa54022a |
| SHA512 | b0c7cfd0f96bdc7ffe4eaba01086fc071bc300256e2fe60a84d87a52fb2e51e6fdffbb648a2991a9a30474551f659111032b30dda10b66885378aaee7a7a82ff |
C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic
| MD5 | c0ffe2de027dd141a222cbe0429fc8f8 |
| SHA1 | 7721606e7dec417e827cfd23c9cc6f6055273dd1 |
| SHA256 | 3ad386ace35396e5854f08639cff212df1c985c41fa59087ef59a3e7d5994d6e |
| SHA512 | e9adcff986de0724af9dbb2c640ca5dc523d04a0a3d5d28f63c8f4c7114521205e03dba035df52833b61cebdab1d43ccd413bc31f6ed6c07b4f69b604a6ff6fd |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 04:31
Reported
2024-10-31 04:34
Platform
win7-20240903-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\StormII\%SESSIONNAME%\fxuvo.pic | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k regsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp |
Files
\??\c:\program files (x86)\stormii\%sessionname%\fxuvo.pic
| MD5 | c16a736dcb64ae6c3733d3fc24141a7e |
| SHA1 | 6131ea6281d24ac7f8561b75fac0470943ef1fa8 |
| SHA256 | 1d0cb4ae7bea1b698e1f964209bec829fcd0752de88692831b4dcc483b3ce3e7 |
| SHA512 | d6d97a42d07e39c9370786c378396449e896a28b1ee0788d38926bf9180d280093cb8377614487b144f29dd6d76245456a2ada8da9ff2439e2acaf2a81598edc |