Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe
-
Size
96KB
-
MD5
8350a889a8d1c4cae4fe512d2c17b082
-
SHA1
5f5bcb67b15a9f65a50e5d0a1621483ffa6000b0
-
SHA256
6796c3d66bdf05fc451590201e40f1c066086055ef177eb0877316a70a9d5067
-
SHA512
a69e4863935c6f60355f8106b07dd905a106f58649bfda61ff684d21e04f68abb86822bd308d40fedac134597dc9a12943f9bb3f9ec7812e3adeccc3ded78834
-
SSDEEP
1536:CmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr1VJqNueG:CsS4jHS8q/3nTzePCwNUh4E91VBeG
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000b000000023b81-15.dat family_gh0strat behavioral2/memory/3924-18-0x0000000000400000-0x000000000044E4A4-memory.dmp family_gh0strat behavioral2/memory/736-21-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/624-26-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4980-31-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 3924 jhsiytrixg -
Executes dropped EXE 1 IoCs
pid Process 3924 jhsiytrixg -
Loads dropped DLL 3 IoCs
pid Process 736 svchost.exe 624 svchost.exe 4980 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\boxfouhqac svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\bxvsxocual svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\bgklgrfsng svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 996 736 WerFault.exe 92 452 624 WerFault.exe 97 2832 4980 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhsiytrixg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3924 jhsiytrixg 3924 jhsiytrixg -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 3924 jhsiytrixg Token: SeBackupPrivilege 3924 jhsiytrixg Token: SeBackupPrivilege 3924 jhsiytrixg Token: SeRestorePrivilege 3924 jhsiytrixg Token: SeBackupPrivilege 736 svchost.exe Token: SeRestorePrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeSecurityPrivilege 736 svchost.exe Token: SeSecurityPrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeSecurityPrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeSecurityPrivilege 736 svchost.exe Token: SeBackupPrivilege 736 svchost.exe Token: SeRestorePrivilege 736 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeRestorePrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeSecurityPrivilege 624 svchost.exe Token: SeSecurityPrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeSecurityPrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeSecurityPrivilege 624 svchost.exe Token: SeBackupPrivilege 624 svchost.exe Token: SeRestorePrivilege 624 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeRestorePrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeSecurityPrivilege 4980 svchost.exe Token: SeSecurityPrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeSecurityPrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeSecurityPrivilege 4980 svchost.exe Token: SeBackupPrivilege 4980 svchost.exe Token: SeRestorePrivilege 4980 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2640 wrote to memory of 3924 2640 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 86 PID 2640 wrote to memory of 3924 2640 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 86 PID 2640 wrote to memory of 3924 2640 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\users\admin\appdata\local\jhsiytrixg"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8350a889a8d1c4cae4fe512d2c17b082_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 8042⤵
- Program crash
PID:996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 736 -ip 7361⤵PID:3180
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 9402⤵
- Program crash
PID:452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 624 -ip 6241⤵PID:4484
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 8802⤵
- Program crash
PID:2832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4980 -ip 49801⤵PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24.7MB
MD59a20dfa4e653c64a86d95d0486295d83
SHA10393cfe9709c363df1c49af5fb2e7930524de983
SHA256c45540d46a8c39df6c01539db0d149f84e6948caabe39c49c99fccc5d8ddea2c
SHA512b547b96a6600808a5bcdd6d66f3c955ca7a4b801210c356fc2ff7a70391d7f82463d1e34ec2128ba9068eb113f3aef77e8200291898aceafdb90e55d51215d62
-
Filesize
206B
MD5715b8d3e99de00dfde0320125c2814d0
SHA18da37a61b259891122c5a51e0f145207163de3a7
SHA25613487c6d6479b21de9e3e1daa51761ba995384fe58293b2af69283c124978a4f
SHA5123d7aeb5f725c8de8b2a1e0a810c7a7279823c84166048cff6ae4cf056d432aebae0e648a2f162c53deb48211c06ce377737bfd192cb4b7c5213c9c4682e097aa
-
Filesize
309B
MD5a1b3d9a52c90bdd750bbe642cce77008
SHA1cbff5b4a9b29a2a02cd430d4596cf925fee19676
SHA2568d19f38c78cc51e47c4af34e130e78d2bf7000a9219b3541092ac9291e38abfc
SHA512f134ff3512a8743684de780d47b4f24f3a42d0a20328bf93a242c8d84c0739b72cc952f4137675ddd30f1f732adf7866ce9863768b72a3c9233046e5d40f519a
-
Filesize
22.1MB
MD577f6e190203fd5307d8ff0427b39b496
SHA19afee72488de4ab9d9d95124d5b49123d98471df
SHA2561471faabedaefe44bcf41f64bd55f0e27a849c4982548a6e242e63b9ee68b780
SHA5122d9b073cd8f3eb16e8e6d42fb2374211a1108329ae4fd526815d14fbd47d7f5cd048dab20b32cd7edf00276e3880397016b6a65b826fd3f94764c814d62a09ac