Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 16:38
Behavioral task
behavioral1
Sample
JaffaCakes118_52d229c8266359536039c284eab3f5f7.dll
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
JaffaCakes118_52d229c8266359536039c284eab3f5f7.dll
-
Size
101KB
-
MD5
52d229c8266359536039c284eab3f5f7
-
SHA1
cff01abb6be05942915c37cbfc01b3c16e3d0641
-
SHA256
9fc16d9513f70fd9341927442e151583c0d95b6866203e684ce3c9e8114fa934
-
SHA512
a83768e27e2e37354a6956bf3dfed494e5a82636234f99c73910e995500ac4fa312afa43554fb6d0022faf332b73737689ee8b926a25cdaa463640ddbe7463c8
-
SSDEEP
3072:CwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwe5iG:JJVGpxx9b3wZuwe4G
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0032000000015e5b-3.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 1 IoCs
pid Process 2180 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Vjwm\Gvwynhrbp.gif rundll32.exe File created C:\Program Files (x86)\Vjwm\Gvwynhrbp.gif rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe 2180 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2844 rundll32.exe Token: SeRestorePrivilege 2844 rundll32.exe Token: SeBackupPrivilege 2844 rundll32.exe Token: SeRestorePrivilege 2844 rundll32.exe Token: SeBackupPrivilege 2844 rundll32.exe Token: SeRestorePrivilege 2844 rundll32.exe Token: SeBackupPrivilege 2844 rundll32.exe Token: SeRestorePrivilege 2844 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2844 2204 rundll32.exe 30 PID 2204 wrote to memory of 2844 2204 rundll32.exe 30 PID 2204 wrote to memory of 2844 2204 rundll32.exe 30 PID 2204 wrote to memory of 2844 2204 rundll32.exe 30 PID 2204 wrote to memory of 2844 2204 rundll32.exe 30 PID 2204 wrote to memory of 2844 2204 rundll32.exe 30 PID 2204 wrote to memory of 2844 2204 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52d229c8266359536039c284eab3f5f7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52d229c8266359536039c284eab3f5f7.dll,#12⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD53b2ed298ac9253ce576e5ed61fd60ee7
SHA1eb57854c1f49a7a58b8e3ccba2ed2e2c56f21046
SHA25651e87fed101932ccf3433a2972fb8abfb5f4900dd0288fa855bf13048358b182
SHA512225df67c6b0b85f9b26d509c50a051d7a7b9582000b19121d7ddb37bc094395536fbec4393997716ca0e46a8e0cdf788e2be0bbe091d877085f7a33c2ec96c7a
