Malware Analysis Report

2025-08-05 10:59

Sample ID 241031-e5mlbazhnr
Target 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118
SHA256 21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6
Tags
gh0strat discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6

Threat Level: Known bad

The file 81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery rat

Gh0strat

Gh0st RAT payload

Gh0strat family

Loads dropped DLL

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 04:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 04:31

Reported

2024-10-31 04:34

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2440 -ip 2440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 600

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 696 -ip 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4688 -ip 4688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1000 -ip 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4204 -ip 4204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 828 -ip 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2572 -ip 2572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1292 -ip 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 600

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3308 -ip 3308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1352 -ip 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 604

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3760 -ip 3760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 572

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1640 -ip 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 600

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 592

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 e5790c9d694995eb65d1ae7b582a3642
SHA1 2295fe5640536ce6fd56050d4a55d61cf7d84d20
SHA256 083bf7a33394df14c8afb129c31a3bc325d144f9096a7546e0d6195ce20a61eb
SHA512 8af9c80d96c68c11635d910ce60cfcad6378c318f0eaca75fe625b310ae0ee0596fecb012ca74df028aeabd34f840aeedb3d10254e1a0bc904eb094359b0e36b

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 d00e951c26a08be1872143d005418897
SHA1 3330f3c1b252730ee031b8201e9e36faa15e5982
SHA256 5566d2a16b0ae69c351ffd0a6fb52d3f66e1fd42046ff4b1412fa14f059f3384
SHA512 b85b056034c5499e9b7431f7658492e9577cbbd148631aa3d3a6e3aa2feca1fbdbb0c0b72ea3304fef9afacface3f4dae87385b143f0d11a3123f1601d34b5dc

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 09d5481f0453125d447bcfdb927f0b83
SHA1 341243b3b523d525b59e6dfa889e09ce797ab917
SHA256 04e81170784885963b0719793f804dd7ebe7f125ab58629ceb526edfb9db1735
SHA512 f8182eb3d3a813ffabde59aef87414e25ac74fe679fe14c2b16e79a4a3b1e496636bfaf5fb309ec0bdd2313b49fd93e344f144fef1e17aa605a9253bcb79f3dd

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 f6d462095763613c7244f03bf5e096eb
SHA1 fc30a4bb6d6b3b843835d30df288980cf9cc1a50
SHA256 0223b8a2641ac1b3e912594ceafcd173f5309299e88204d7f0e4020f2d1ec6c2
SHA512 7eed545209897c1a3ed597f0c14ee1ad85a530cf0058b950304c2cfce653d0646025b485f19f0c75d7d1125705f735a3c9aa45b63398d1507e7bbcaddc636559

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 7edd50a0fd68c825c02c035f45340d21
SHA1 eecb86a1355c5acd63f1dcdd1e1ba3cf6353f2e1
SHA256 3443d45e8c424f97703245c0e07ea478467bc2f3a77e5a2e46ae53a0b7e82a1e
SHA512 5e65400b518735263b76c622c88dd8f366e03192883954363e7e613b9a110029138848148116f5d6cb46c99d434c870dce78d4a253d2255248e6f3c862c42653

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 e92e3bcef586319411d591b578e9ae8f
SHA1 c232a6eb6aa3a91f288b73388dcfb01537735e86
SHA256 496427694f4586adc57d9eaadd4be55db978df7aa4545a4c8e9b4c772b67fd3d
SHA512 fa2b7b6e1eabcc216e229d168dbf0bcd3d53f252edb9075c5eb8f868bb0c129aae65a905d72bf9c73435cfc3eb0e30c80c53f66960baf6a635d30bab38127312

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 88cd2aedc28a070bcf311ab25779a725
SHA1 077f3b100a2abcbdb39b068b547921d15ded7722
SHA256 2f84a24f561f75420f10e2ebd77edd0f8e15e0c8bb59f6d703c3129dc64de298
SHA512 c52f83627ba34271e88b5c573bedb5b0c8949d9790ebd97ed0caf55db0d6f12a8991bc0a1c5ed1d77479ec9e6336cfc4ee32e3a31512df34e285890de9224294

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 d7f20b7d821f244cdad277fc906229a4
SHA1 dea7ef8baae7b7080a760acc94d6c553a6ee407a
SHA256 77b484f9ac31b4e1e8df5158dff2ba37ab3a4037e28597ba772c13bf7f502417
SHA512 c7af461c0275b14965847dd8c4961bd85d5ada18e23866cec1dc02a5b43bfecc087e7c7955bf39adc05f221dfe4a6099b94d0fb6acb47ee7809e626b053c8430

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 b552eeec2afb5f1619701856c70e8ea9
SHA1 5991137d65c2da2ef839a9ef8c091b7424f4ae55
SHA256 b7fd720b3dde68cebb19180814117be025bcd0b71dda67a091e664fe80275dcf
SHA512 53f637cd54a5d6a30da608e689b8a9071755f00c8714b653025c942302160a37ff1dc17590024859cd7ed2d91a34eab8a595367574a44fcefeb145948eadd7c8

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 3f0052f17e264cf849f3c9ea3128ad9b
SHA1 40b3b67addb0a5345648d212e56a532f2a006239
SHA256 3e5ea6fdb31c675c09f08257229c5811cb1f1d32f4fa0559d2ebf597c24932af
SHA512 03e88f1278d4b8d1099db547aefae919d00cc3d450ca390e2b73380e30dc20ff0e5ae6092c1ced02612753ae62a73de4191b0613ad391b8f37dc0783a096e049

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 48f83d482dcd1d6a4cb4462bf694b631
SHA1 515051749d3e095403c60c06db542502ba0bf0f3
SHA256 b2c1a6b176c916bf0f34e900bf130f60c7953f0d631bf3c8e7d6aa859f3a0567
SHA512 321bdea2347ba403d8a98515f29f579dfc40fb20140a4ab9889cd25be58efd9c40d21cfbce843aab2cfe591ae2db16540a2c5af2168f59e7fc577be0705793aa

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 3c699587f51a6182334af64228701d66
SHA1 58e73f623448a8ae739902b4a651286013f689b9
SHA256 33f826fb1fce35eaef0cd6aed7725b02e652d217aa76135d80569b0fdeb92ffa
SHA512 a975cbad3db8a1ea1fd3570fbaf26c98645da75439766faf4db6ac3cd5729a337d304313d44d308bf49a06be6cc18a41fd3abdf9716e6a3df7aa0a73410dccae

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 d2113ebe12373f7bbc82590a4eec78b6
SHA1 c887fd1ad065d9db4f52235ab82164f18bce97f7
SHA256 cf62499f848a5e181a9f1657b38a75a688ad4c1f7e1286ac3ce91e32642deb14
SHA512 11b83e39ed52437aaa473914e71fbe552211dd480ffeb9325125f869d2c22d31d21459a4db6ad20f4765fc1e7d95b01e60dda8e8229db9d32042f0acf08e66bf

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 744a9d84b2b399818c6b9e4cd277e8ac
SHA1 2a47ca35f641866994e6fd14f781b9664700fa86
SHA256 7832b405b498dd9026cc33676f874b2b7e75e8d9d6020126a1b1a8e73057ad85
SHA512 591f552138e4fd42a4d2d8a2e11e7b7c407b83e692f5a7fe4e9b2a803b28719240a79fa020d053a2d14d558d85845be0574b98f03217d2db23557864a3f65a54

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 f98e5d2d4727e46f2d97d3ea9815fbe9
SHA1 26cdbc40e69e6b27cda7ce2bcd56248692780b9f
SHA256 e22c6b3515013940ef863e29a31a846a15e28dda4a2900a50a6e2e17ee23886a
SHA512 0bae853ecc0346d242dd7c2920aecc2c58ef0c1cbcac1ecea777ba4f41557f718ec9c7e1608381e5e255c03e37f4f9167b077287f805016dccaa0d37218a67d6

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 4bc24b415a3878dfdeb5bd4c156e4c4e
SHA1 0b04e1c192decee2a319408dbfa74eb491984ba1
SHA256 5318d606493c88a1c2dc54f2895841e216d30ece2dbf0f58b4b2ee5157c1b3fe
SHA512 79509fd9b3f498d55e26cc347c3319fd558fefad0399fa83702732c6994d521d2bf1f6bbed4af46edcee8d2c4b1d82c8367ec481bbaba95db0012e6b7e5927d4

\??\c:\program files (x86)\stormii\%sessionname%\fppsm.pic

MD5 6b58acf5ae439fd5c732e09d786bf1ea
SHA1 1030327b631ade4590954ed6ede90f26e5b34182
SHA256 4f81c06183c190b2ea92a26832a06fae715e24da089aa2cf91e8904b25d8deb0
SHA512 8f153621484f82abfb4badf1caf19fb8372aa604d7f2b6ef25c82968e07b7597ebbe00884568d84095523679043c5860b888a65447613164a6687d5fce78a0eb

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 3918a4b6a6c04df4ca6440e8fdb55c46
SHA1 2e6a099715a323dd943ee5c9f24b11cdf3818927
SHA256 6581b00321f9f20912f2b8655a3653fbfc063c49fb0e75c39b63fdc2fa54022a
SHA512 b0c7cfd0f96bdc7ffe4eaba01086fc071bc300256e2fe60a84d87a52fb2e51e6fdffbb648a2991a9a30474551f659111032b30dda10b66885378aaee7a7a82ff

C:\Program Files (x86)\StormII\%SESSIONNAME%\fppsm.pic

MD5 c0ffe2de027dd141a222cbe0429fc8f8
SHA1 7721606e7dec417e827cfd23c9cc6f6055273dd1
SHA256 3ad386ace35396e5854f08639cff212df1c985c41fa59087ef59a3e7d5994d6e
SHA512 e9adcff986de0724af9dbb2c640ca5dc523d04a0a3d5d28f63c8f4c7114521205e03dba035df52833b61cebdab1d43ccd413bc31f6ed6c07b4f69b604a6ff6fd

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 04:31

Reported

2024-10-31 04:34

Platform

win7-20240903-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\StormII\%SESSIONNAME%\fxuvo.pic C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k regsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp

Files

\??\c:\program files (x86)\stormii\%sessionname%\fxuvo.pic

MD5 c16a736dcb64ae6c3733d3fc24141a7e
SHA1 6131ea6281d24ac7f8561b75fac0470943ef1fa8
SHA256 1d0cb4ae7bea1b698e1f964209bec829fcd0752de88692831b4dcc483b3ce3e7
SHA512 d6d97a42d07e39c9370786c378396449e896a28b1ee0788d38926bf9180d280093cb8377614487b144f29dd6d76245456a2ada8da9ff2439e2acaf2a81598edc