Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/03/2025, 17:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe
Resource
win7-20240729-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe
-
Size
224KB
-
MD5
4ed9a08d90b80dc451fb76cd555f99bb
-
SHA1
9a643edefeb91fd3df90c5b968cddffb9782e107
-
SHA256
327642ea179b19323851e332c5f54c4127df2696c3f57395b78bff7ccd589b3d
-
SHA512
5027effd4369c97366b6ccd1b646c4b8458f05ba270f5ebd093b668d171e542fe3a7f9695f1b56f7931e8ba81c4ec911cf1b60acdcce97adcfa17996351ff62c
-
SSDEEP
3072:rb8IM9D5woXXreupOnXY8/ZnLSpWKaIWHnDFoo97pzJ+nYkOCwynsVvRokCB/bnl:0IUWJlfQw+oJpzmfwssLJC5opH9DH3zq
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2824-87-0x0000000000400000-0x0000000000432000-memory.dmp family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 2308 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2824 ki15FCC.tmp 2080 inl679B.tmp -
Loads dropped DLL 5 IoCs
pid Process 2368 cmd.exe 2408 MsiExec.exe 2408 MsiExec.exe 2596 cmd.exe 2596 cmd.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\loader.dll ki15FCC.tmp File created C:\Program Files\Common Files\lanmao.dll ki15FCC.tmp -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6C3B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6CD8.tmp msiexec.exe File created C:\WINDOWS\vbcfg.ini ki15FCC.tmp File created C:\Windows\Installer\f776825.msi msiexec.exe File opened for modification C:\Windows\Installer\f776825.msi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inl679B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki15FCC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 2868 msiexec.exe Token: SeIncreaseQuotaPrivilege 2868 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeSecurityPrivilege 2784 msiexec.exe Token: SeCreateTokenPrivilege 2868 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2868 msiexec.exe Token: SeLockMemoryPrivilege 2868 msiexec.exe Token: SeIncreaseQuotaPrivilege 2868 msiexec.exe Token: SeMachineAccountPrivilege 2868 msiexec.exe Token: SeTcbPrivilege 2868 msiexec.exe Token: SeSecurityPrivilege 2868 msiexec.exe Token: SeTakeOwnershipPrivilege 2868 msiexec.exe Token: SeLoadDriverPrivilege 2868 msiexec.exe Token: SeSystemProfilePrivilege 2868 msiexec.exe Token: SeSystemtimePrivilege 2868 msiexec.exe Token: SeProfSingleProcessPrivilege 2868 msiexec.exe Token: SeIncBasePriorityPrivilege 2868 msiexec.exe Token: SeCreatePagefilePrivilege 2868 msiexec.exe Token: SeCreatePermanentPrivilege 2868 msiexec.exe Token: SeBackupPrivilege 2868 msiexec.exe Token: SeRestorePrivilege 2868 msiexec.exe Token: SeShutdownPrivilege 2868 msiexec.exe Token: SeDebugPrivilege 2868 msiexec.exe Token: SeAuditPrivilege 2868 msiexec.exe Token: SeSystemEnvironmentPrivilege 2868 msiexec.exe Token: SeChangeNotifyPrivilege 2868 msiexec.exe Token: SeRemoteShutdownPrivilege 2868 msiexec.exe Token: SeUndockPrivilege 2868 msiexec.exe Token: SeSyncAgentPrivilege 2868 msiexec.exe Token: SeEnableDelegationPrivilege 2868 msiexec.exe Token: SeManageVolumePrivilege 2868 msiexec.exe Token: SeImpersonatePrivilege 2868 msiexec.exe Token: SeCreateGlobalPrivilege 2868 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeIncBasePriorityPrivilege 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeIncBasePriorityPrivilege 2080 inl679B.tmp -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2368 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 30 PID 1908 wrote to memory of 2368 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 30 PID 1908 wrote to memory of 2368 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 30 PID 1908 wrote to memory of 2368 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 30 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 2368 wrote to memory of 2824 2368 cmd.exe 32 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2868 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 33 PID 1908 wrote to memory of 2596 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 35 PID 1908 wrote to memory of 2596 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 35 PID 1908 wrote to memory of 2596 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 35 PID 1908 wrote to memory of 2596 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 35 PID 1908 wrote to memory of 2988 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 36 PID 1908 wrote to memory of 2988 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 36 PID 1908 wrote to memory of 2988 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 36 PID 1908 wrote to memory of 2988 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 36 PID 1908 wrote to memory of 2308 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 39 PID 1908 wrote to memory of 2308 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 39 PID 1908 wrote to memory of 2308 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 39 PID 1908 wrote to memory of 2308 1908 JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe 39 PID 2988 wrote to memory of 1032 2988 cmd.exe 41 PID 2988 wrote to memory of 1032 2988 cmd.exe 41 PID 2988 wrote to memory of 1032 2988 cmd.exe 41 PID 2988 wrote to memory of 1032 2988 cmd.exe 41 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2784 wrote to memory of 2408 2784 msiexec.exe 42 PID 2596 wrote to memory of 2080 2596 cmd.exe 43 PID 2596 wrote to memory of 2080 2596 cmd.exe 43 PID 2596 wrote to memory of 2080 2596 cmd.exe 43 PID 2596 wrote to memory of 2080 2596 cmd.exe 43 PID 2080 wrote to memory of 264 2080 inl679B.tmp 45 PID 2080 wrote to memory of 264 2080 inl679B.tmp 45 PID 2080 wrote to memory of 264 2080 inl679B.tmp 45 PID 2080 wrote to memory of 264 2080 inl679B.tmp 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ed9a08d90b80dc451fb76cd555f99bb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\ki15FCC.tmpC:\Users\Admin\AppData\Local\Temp\ki15FCC.tmp3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ins64CC.tmp.msi" /quiet2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\inl679B.tmpC:\Users\Admin\AppData\Local\Temp\inl679B.tmp cdf1912.tmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl679B.tmp > nul4⤵
- System Location Discovery: System Language Discovery
PID:264
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\expand.exeexpand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 965E27B242B28E8629FC17851B0E2E4D2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
765B
MD5a4a4219ce5fdbaf2864b04ca4e453ac9
SHA198bf1383e8b2f4db0388ee139ae7fe06ff7a67a9
SHA2567ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6
SHA51222f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8
-
Filesize
57B
MD5492e6962f1b4a55dc14efa5d67091c1b
SHA118db609d3d516d03b298fce40378ee60fdf1485c
SHA256a76f307b93f265bb3681ecec6584a562ae0d9dd08ca2d212dcb7a3f7ea804680
SHA512c7fe60f07a7a4625c8d7e28ec5841541748502c4f40c90222ba2e2b492cfc942a80237b013f1972b60c76efc8d749a0a8dc27fd6dcd15061c2d4550669d4d8b2
-
Filesize
45B
MD5195bb2759a29a9669db0bd7a9a848ef6
SHA1b3dbb7d530f2ea2e2b716eeca012e0c5d50a754a
SHA256e731f9b3d71286c67c0d493ed3f970ce7fa5fc6425202d6a369a6c184da15e3d
SHA512d7ab38ae2ac297ece032d51fa2b72cef8439867cee82186f5420c37b0a1351795767a42f457aa6f7a9ccc62600842e64ba7e7db8d48db67943494ffd980ffcf9
-
Filesize
98B
MD58663de6fce9208b795dc913d1a6a3f5b
SHA1882193f208cf012eaf22eeaa4fef3b67e7c67c15
SHA2562909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61
SHA5129381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688
-
Filesize
48KB
MD59067aad412defc0d2888479609041392
SHA136cfffc3bafeb24f88ad5886ca5787ca008b6ba9
SHA25699f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517
SHA512e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a
-
Filesize
425B
MD5da68bc3b7c3525670a04366bc55629f5
SHA115fda47ecfead7db8f7aee6ca7570138ba7f1b71
SHA25673f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5
SHA5126fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0