Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe
-
Size
634KB
-
MD5
81952b674f43e954dd3a96592ba3ab2d
-
SHA1
4e30fcaf30160d3ef79a74bb65a4993e723b2e25
-
SHA256
0634c8f9154a7526157ca6e81df40099f6f123f1faf307e2525b87416e430e44
-
SHA512
7d5fa49701dc9f46b45f18639860458544ad4544fd20baef4900a0611792090ecb89199ade74a735c4f6a37fd53bea9cd12746001d2a2360eeffb3192637b3d1
-
SSDEEP
12288:HeRJyAkmftckLW+63+sSX5NqvHjBXeq1/xj2hQj3KnO2Q45vQ/Yq2d:+SIftck6OZXMBeq1J6Qj3K446/wd
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b97-15.dat family_gh0strat behavioral2/memory/864-25-0x0000000000400000-0x0000000000423590-memory.dmp family_gh0strat -
Gh0strat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation ~imsinst.exe -
Executes dropped EXE 3 IoCs
pid Process 2908 ~imsinst.exe 864 server.exe 4032 injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1676 864 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~imsinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language injector.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe 4032 injector.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2908 2624 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 85 PID 2624 wrote to memory of 2908 2624 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 85 PID 2624 wrote to memory of 2908 2624 81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe 85 PID 2908 wrote to memory of 864 2908 ~imsinst.exe 86 PID 2908 wrote to memory of 864 2908 ~imsinst.exe 86 PID 2908 wrote to memory of 864 2908 ~imsinst.exe 86 PID 2908 wrote to memory of 4032 2908 ~imsinst.exe 87 PID 2908 wrote to memory of 4032 2908 ~imsinst.exe 87 PID 2908 wrote to memory of 4032 2908 ~imsinst.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\~imsinst.exe"C:\Users\Admin\AppData\Local\Temp\~imsinst.exe" C:\Users\Admin\AppData\Local\Temp\81952b674f43e954dd3a96592ba3ab2d_JaffaCakes118.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2244⤵
- Program crash
PID:1676
-
-
-
C:\Users\Admin\AppData\Local\Temp\injector.exe"C:\Users\Admin\AppData\Local\Temp\injector.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 864 -ip 8641⤵PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD59a93e6486634cab1d1ad67184fe77db3
SHA1b9396cb5437636dc9f9f3583d402af585c8ac4bc
SHA256309bff2bbb434c01f41ada6e894f67fa99689d10ba427124475b7a7636a7a2b1
SHA5121abb64cd7e4aba33ee28d220678c207871907930ff169da682e8e8900169668e50766aa28ebddf67e36e6d8c495da3971b67f8d0df3b17c548bff76166956100
-
Filesize
141KB
MD5c81ae2d052af4a2a126cf5fe5ac498a8
SHA1103e74bb464d0dcc5ca944b6678192bda04c8a04
SHA256f21be85cd5b57960db671261b03e99cd7b8f6979fc10330ad0ffadb249c2013a
SHA51274753153e371496b0ce92788cd19773b0049876002b319e3f4fb9f8c8504135b8fd88719240ae09c9a0a01fa46320db9d6ad8e6a204dfc29acb775510c7ed30b
-
Filesize
634KB
MD581952b674f43e954dd3a96592ba3ab2d
SHA14e30fcaf30160d3ef79a74bb65a4993e723b2e25
SHA2560634c8f9154a7526157ca6e81df40099f6f123f1faf307e2525b87416e430e44
SHA5127d5fa49701dc9f46b45f18639860458544ad4544fd20baef4900a0611792090ecb89199ade74a735c4f6a37fd53bea9cd12746001d2a2360eeffb3192637b3d1