Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe
-
Size
634KB
-
MD5
81952b674f43e954dd3a96592ba3ab2d
-
SHA1
4e30fcaf30160d3ef79a74bb65a4993e723b2e25
-
SHA256
0634c8f9154a7526157ca6e81df40099f6f123f1faf307e2525b87416e430e44
-
SHA512
7d5fa49701dc9f46b45f18639860458544ad4544fd20baef4900a0611792090ecb89199ade74a735c4f6a37fd53bea9cd12746001d2a2360eeffb3192637b3d1
-
SSDEEP
12288:HeRJyAkmftckLW+63+sSX5NqvHjBXeq1/xj2hQj3KnO2Q45vQ/Yq2d:+SIftck6OZXMBeq1J6Qj3K446/wd
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/2928-17-0x0000000002BD0000-0x0000000002BF4000-memory.dmp family_gh0strat behavioral1/files/0x000800000001628b-15.dat family_gh0strat behavioral1/memory/2820-31-0x0000000000400000-0x0000000000423590-memory.dmp family_gh0strat behavioral1/memory/2820-30-0x0000000000404000-0x0000000000424000-memory.dmp family_gh0strat behavioral1/memory/2820-43-0x0000000000400000-0x0000000000423590-memory.dmp family_gh0strat -
Gh0strat family
-
Executes dropped EXE 3 IoCs
pid Process 2928 ~imsinst.exe 2820 server.exe 2944 injector.exe -
Loads dropped DLL 10 IoCs
pid Process 2800 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 2800 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 2928 ~imsinst.exe 2928 ~imsinst.exe 2928 ~imsinst.exe 2928 ~imsinst.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2676 2820 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~imsinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language injector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2928 2800 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2928 2800 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2928 2800 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 30 PID 2800 wrote to memory of 2928 2800 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 30 PID 2928 wrote to memory of 2820 2928 ~imsinst.exe 31 PID 2928 wrote to memory of 2820 2928 ~imsinst.exe 31 PID 2928 wrote to memory of 2820 2928 ~imsinst.exe 31 PID 2928 wrote to memory of 2820 2928 ~imsinst.exe 31 PID 2928 wrote to memory of 2944 2928 ~imsinst.exe 32 PID 2928 wrote to memory of 2944 2928 ~imsinst.exe 32 PID 2928 wrote to memory of 2944 2928 ~imsinst.exe 32 PID 2928 wrote to memory of 2944 2928 ~imsinst.exe 32 PID 2820 wrote to memory of 2676 2820 server.exe 33 PID 2820 wrote to memory of 2676 2820 server.exe 33 PID 2820 wrote to memory of 2676 2820 server.exe 33 PID 2820 wrote to memory of 2676 2820 server.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\~imsinst.exe"C:\Users\Admin\AppData\Local\Temp\~imsinst.exe" C:\Users\Admin\AppData\Local\Temp\81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 884⤵
- Loads dropped DLL
- Program crash
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD59a93e6486634cab1d1ad67184fe77db3
SHA1b9396cb5437636dc9f9f3583d402af585c8ac4bc
SHA256309bff2bbb434c01f41ada6e894f67fa99689d10ba427124475b7a7636a7a2b1
SHA5121abb64cd7e4aba33ee28d220678c207871907930ff169da682e8e8900169668e50766aa28ebddf67e36e6d8c495da3971b67f8d0df3b17c548bff76166956100
-
Filesize
141KB
MD5c81ae2d052af4a2a126cf5fe5ac498a8
SHA1103e74bb464d0dcc5ca944b6678192bda04c8a04
SHA256f21be85cd5b57960db671261b03e99cd7b8f6979fc10330ad0ffadb249c2013a
SHA51274753153e371496b0ce92788cd19773b0049876002b319e3f4fb9f8c8504135b8fd88719240ae09c9a0a01fa46320db9d6ad8e6a204dfc29acb775510c7ed30b
-
Filesize
634KB
MD581952b674f43e954dd3a96592ba3ab2d
SHA14e30fcaf30160d3ef79a74bb65a4993e723b2e25
SHA2560634c8f9154a7526157ca6e81df40099f6f123f1faf307e2525b87416e430e44
SHA5127d5fa49701dc9f46b45f18639860458544ad4544fd20baef4900a0611792090ecb89199ade74a735c4f6a37fd53bea9cd12746001d2a2360eeffb3192637b3d1