Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/03/2025, 12:20
Behavioral task
behavioral1
Sample
JaffaCakes118_402beb7c001ddf42a7f9b5ae09091dee.dll
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
JaffaCakes118_402beb7c001ddf42a7f9b5ae09091dee.dll
-
Size
120KB
-
MD5
402beb7c001ddf42a7f9b5ae09091dee
-
SHA1
c148b10c718086b5e6db14fa3c263360606d06f9
-
SHA256
3676864e694cdc3e75e6d600875b7d473055d71d1918ca6625583ed3041b8ec2
-
SHA512
61f810e6de90133820065ad227d58e9a89b46ee6040afa7e55f7282c3df6b89297fafd76a14599e13ea8650e3f23df4c3874812a91254c4404a44b6a985f523d
-
SSDEEP
3072:XaaIIf5xahjfNfpDhBis1MWVUvwLZRrH9N:qWHahJJhA+bUvw1R
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x0011000000012257-3.dat family_gh0strat behavioral1/memory/1380-4-0x0000000010000000-0x000000001001D000-memory.dmp family_gh0strat -
Gh0strat family
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\FileName.jpg rundll32.exe File opened for modification C:\Windows\FileName.jpg rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 944 2508 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe 1380 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2508 rundll32.exe Token: SeRestorePrivilege 2508 rundll32.exe Token: SeBackupPrivilege 2508 rundll32.exe Token: SeRestorePrivilege 2508 rundll32.exe Token: SeBackupPrivilege 2508 rundll32.exe Token: SeRestorePrivilege 2508 rundll32.exe Token: SeBackupPrivilege 2508 rundll32.exe Token: SeRestorePrivilege 2508 rundll32.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe Token: SeBackupPrivilege 1380 svchost.exe Token: SeRestorePrivilege 1380 svchost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2272 wrote to memory of 2508 2272 rundll32.exe 31 PID 2508 wrote to memory of 944 2508 rundll32.exe 33 PID 2508 wrote to memory of 944 2508 rundll32.exe 33 PID 2508 wrote to memory of 944 2508 rundll32.exe 33 PID 2508 wrote to memory of 944 2508 rundll32.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402beb7c001ddf42a7f9b5ae09091dee.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_402beb7c001ddf42a7f9b5ae09091dee.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 3603⤵
- Program crash
PID:944
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.5MB
MD5c8c01215adb853da47cfc2a034a9ab44
SHA1378d448c555c121f7a6a77fc462f566f63af1c3b
SHA256d2cc959561770c9ad117b345293229eb082dd189398f94dc41a45f98e54af902
SHA512b41309b84664510e08966a9c4bdc0e4a46946efafe31899c1c470ee568a68afe7faa0006ef431f198f94e3ab16f35e05eceac704037b15f51c42939a703e0e63
