Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03/03/2025, 17:49
Behavioral task
behavioral1
Sample
JaffaCakes118_484721c3727b8f2fde9632aae58babdf.dll
Resource
win7-20241010-en
windows7-x64
General
-
Target
JaffaCakes118_484721c3727b8f2fde9632aae58babdf.dll
-
Size
8.8MB
-
MD5
484721c3727b8f2fde9632aae58babdf
-
SHA1
ecafaa980c3d90baa1a398ddcfc3fbe26d5daea1
-
SHA256
449eb8e8720a4e4a54965cf49a639fe1343bdeeaa14e97d6c9950de9b3ae9e8f
-
SHA512
19bbdf117f0811302e1f87dd6ef8fd13e5355294e29752be6e649a541b2c5fe9dd5f3bfb09a2e8c8460b0532606cd09c5318a8a0f75f45b65d6a3605392537bb
-
SSDEEP
3072:BvBKS+26Y8zoz4EfZRzUKR/F4pEIbybZuwYc1UqhEEEEEEEEEEEEEEEEEEEEEEEP:N8tA1fYmFEX2ZuwFCT
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000f000000012263-3.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 1 IoCs
pid Process 2552 svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeBackupPrivilege 928 rundll32.exe Token: SeRestorePrivilege 928 rundll32.exe Token: SeBackupPrivilege 928 rundll32.exe Token: SeRestorePrivilege 928 rundll32.exe Token: SeBackupPrivilege 928 rundll32.exe Token: SeRestorePrivilege 928 rundll32.exe Token: SeBackupPrivilege 928 rundll32.exe Token: SeRestorePrivilege 928 rundll32.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeRestorePrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeRestorePrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeRestorePrivilege 2552 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2540 wrote to memory of 928 2540 rundll32.exe 29 PID 2540 wrote to memory of 928 2540 rundll32.exe 29 PID 2540 wrote to memory of 928 2540 rundll32.exe 29 PID 2540 wrote to memory of 928 2540 rundll32.exe 29 PID 2540 wrote to memory of 928 2540 rundll32.exe 29 PID 2540 wrote to memory of 928 2540 rundll32.exe 29 PID 2540 wrote to memory of 928 2540 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_484721c3727b8f2fde9632aae58babdf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_484721c3727b8f2fde9632aae58babdf.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.6MB
MD5a788171cfb4984159fefb1cb3661eb63
SHA1dd7a02276a8638033d264d810889f9f9e048f24c
SHA256f09cb4a17583f0574dcf452cb694fb41adb27a54c2fe1dc7c129f1b825ec45d0
SHA512d7016b39fb4ab60a699f4d15f420ca55d1378c42765cec548950da4db411a7e0a271b18ef640fd98f2cb36a758d07dd436f5d873a1eef74099d551cce413edda
