Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe
-
Size
96KB
-
MD5
8350a889a8d1c4cae4fe512d2c17b082
-
SHA1
5f5bcb67b15a9f65a50e5d0a1621483ffa6000b0
-
SHA256
6796c3d66bdf05fc451590201e40f1c066086055ef177eb0877316a70a9d5067
-
SHA512
a69e4863935c6f60355f8106b07dd905a106f58649bfda61ff684d21e04f68abb86822bd308d40fedac134597dc9a12943f9bb3f9ec7812e3adeccc3ded78834
-
SSDEEP
1536:CmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr1VJqNueG:CsS4jHS8q/3nTzePCwNUh4E91VBeG
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016d6d-19.dat family_gh0strat behavioral1/memory/2248-22-0x0000000000400000-0x000000000044E4A4-memory.dmp family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 2248 ghttdjkwpr -
Executes dropped EXE 1 IoCs
pid Process 2248 ghttdjkwpr -
Loads dropped DLL 3 IoCs
pid Process 2572 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 2572 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 2956 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\bgtghixaau svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ghttdjkwpr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2248 ghttdjkwpr 2956 svchost.exe 2956 svchost.exe 2956 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeRestorePrivilege 2248 ghttdjkwpr Token: SeBackupPrivilege 2248 ghttdjkwpr Token: SeBackupPrivilege 2248 ghttdjkwpr Token: SeRestorePrivilege 2248 ghttdjkwpr Token: SeBackupPrivilege 2956 svchost.exe Token: SeRestorePrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeSecurityPrivilege 2956 svchost.exe Token: SeSecurityPrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeSecurityPrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeSecurityPrivilege 2956 svchost.exe Token: SeBackupPrivilege 2956 svchost.exe Token: SeRestorePrivilege 2956 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2248 2572 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2248 2572 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2248 2572 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2248 2572 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\users\admin\appdata\local\ghttdjkwpr"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8350a889a8d1c4cae4fe512d2c17b082_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.0MB
MD514bf8ce06fefdd69f2124332bc3e2ec0
SHA1d848fd0b291221272eac8202f03fb113fc4577e5
SHA256ca01db264be789c6b60e5b7059a0ee724f62b06ff92be8e58e7049a868701f91
SHA5128d648a9d10aed28799fe1a57679d62c92a268994965ee193d1e865ed4b7849da0b1815bdda8737cb0f3cae98ae9e0e554b7ea43d42abc0c43ba1c179d02c023f
-
Filesize
24.9MB
MD546a15db6efdfc526330e1d6a7a59e6e4
SHA14f3410aedd656aeaff2070131bc2114739030321
SHA2560b30f1d2173aea0ac47ca3d14fdca3ddb7a6483fb9cadde5ba3738a2e78e68c5
SHA512bd9160e717513225784e31b74e98bd9add1fea5d549cb979e2c25395ea7cecff893637af450c5409e3b16f13553c58d95e705a0aee7c21f96b936190a40905fb