Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 05:57
Behavioral task
behavioral1
Sample
81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe
-
Size
84KB
-
MD5
81e46be0cb151d66b5bd422528ffab37
-
SHA1
d71ac138dbfa069c88e9aa239d55c94dfa088c42
-
SHA256
61f68d3d924510e7c83516699349c45308dec2485d15bcee111ee3bb6ada5717
-
SHA512
1c1722f9e70d2f61494a20edda32639183e357cafa3741cef8853b5a9246d63bfb5446e5166fc21dbd3baa1bffe02429947aaf03d07955b24a512953506e6d23
-
SSDEEP
1536:Tyn/zLB79H6r7Tw9NdFJOSL+YQtfAEAif0GweFcoAjfMG8npPEe8qZJYqZRt:Tyn/zL76r7Tw9NdFJOpl3fQeFDADMG8B
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/memory/2028-0-0x0000000000400000-0x0000000000417000-memory.dmp family_gh0strat behavioral2/files/0x0003000000022a9f-3.dat family_gh0strat behavioral2/memory/2028-5-0x0000000000400000-0x0000000000417000-memory.dmp family_gh0strat behavioral2/memory/920-6-0x0000000010000000-0x0000000010013000-memory.dmp family_gh0strat behavioral2/memory/920-7-0x0000000010000000-0x0000000010013000-memory.dmp family_gh0strat -
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\bdesfvc.dll" 81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 920 SVCHOSt.ExE -
Loads dropped DLL 1 IoCs
pid Process 920 SVCHOSt.ExE -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\bdesfvc.dll 81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bdesfvc.dll 81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mstmp 81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVCHOSt.ExE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SVCHOSt.ExE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SVCHOSt.ExE
Processes
-
C:\Users\Admin\AppData\Local\Temp\81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81e46be0cb151d66b5bd422528ffab37_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2028
-
C:\Windows\SysWOW64\SVCHOSt.ExEC:\Windows\SysWOW64\SVCHOSt.ExE -K NETSVCS -s FastUserSwitchingCompatibility1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5b999d0cb9e706fda27f79bc088ad5bce
SHA16db3d2a1aed81355e94bd92a1c5086d7d4d8b903
SHA256a278f414b6e18de7fd2316120e5c540626630728eb58fb1018e1a45cc9d915a0
SHA5125cd896773415e03a98f0fb8e081bdd17602a127eb011c6ce2389589246f2b9464080fa034649e05d4959e8c748063800cf757ecd506bbdc80f0b17e5838301da