gh0strat | 5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
Size

476KB
MD5

56862ecfc66c6941e12357f602424b25
SHA1

c0ad1a78286d3f6e11492d0fbcf305f02f73a28f
SHA256

5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f
SHA512

3eda14f758cc3e7a3df5a88e9da817729b93b8955a34b6c0cd26a67b7eb750a7ba487e2305974e457b5258b4c79c1d21d863e7ca05c67718e2fdf1164cd67369
SSDEEP

6144:9qOVverctVjgK6GuQq9+vAG+wLhLL/Z0axth2uL29E2xlVqc:9q2veAtaK6GuQq9lG5hLL/guLT

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1392-28-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral1/memory/1392-25-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral1/memory/1392-31-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral1/memory/1392-30-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat
behavioral1/memory/1392-32-0x0000000000400000-0x0000000000417000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2860	At.exe	38

Executes dropped EXE 3 IoCs

pid	Process
1528	SysClock.exe
1392	SysClock.exe
2672	clock.exe

Loads dropped DLL 7 IoCs

pid	Process
1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
1528	SysClock.exe
2672	clock.exe
2672	clock.exe
2672	clock.exe
2672	clock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systime = "C:\\RECYCLER\\20251325\\clock.exe"	clock.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 1392	1528	SysClock.exe	33

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2168	sc.exe
2028	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SysClock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SysClock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2484	taskkill.exe
2736	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\Version	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\TypeLib\Version = "1.0"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\TypeLib	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\Insertable\	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\TypeLib	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\TypeLib	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\MiscStatus\1\ = "132497"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\ = "_DCalendarXEvents"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\TypeLib\ = "{4E586523-E97F-11D2-905B-24FD04C10000}"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CALENDARX.CalendarXCtrl.1\CLSID\ = "{4E586526-E97F-11D2-905B-24FD04C10000}"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\Insertable	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\TypeLib\Version = "1.0"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586527-E97F-11D2-905B-24FD04C10000}\InprocServer32\ = "C:\\RECYCLER\\20251325\\CALEND~1.OCX"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CALENDARX.CalendarXCtrl.1\ = "CalendarX Control"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CALENDARX.CalendarXCtrl.1\Insertable\	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\ = "_DCalendarXEvents"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\ProgID\ = "CALENDARX.CalendarXCtrl.1"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\InprocServer32	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\InprocServer32\ = "C:\\RECYCLER\\20251325\\CALEND~1.OCX"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\ = "CalendarX Control"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\TypeLib	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\TypeLib\Version = "1.0"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\TypeLib\Version = "1.0"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\InprocServer32\ThreadingModel = "Apartment"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CALENDARX.CalendarXCtrl.1	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\ = "_DCalendarX"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\FLAGS	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\0	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\ = "_DCalendarX"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\TypeLib\ = "{4E586523-E97F-11D2-905B-24FD04C10000}"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586527-E97F-11D2-905B-24FD04C10000}	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\MiscStatus\ = "0"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\HELPDIR\ = "C:\\RECYCLER\\20251325"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\ToolboxBitmap32	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\Control	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\Control\	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\TypeLib	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\TypeLib\ = "{4E586523-E97F-11D2-905B-24FD04C10000}"	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}\ProxyStubClsid32	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\MiscStatus	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\MiscStatus\1	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CALENDARX.CalendarXCtrl.1\Insertable	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\HELPDIR	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E586525-E97F-11D2-905B-24FD04C10000}	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586527-E97F-11D2-905B-24FD04C10000}\InprocServer32	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CALENDARX.CalendarXCtrl.1\CLSID	clock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\0\win32	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586527-E97F-11D2-905B-24FD04C10000}\ = "CalendarX Property Page"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\Version\ = "1.0"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E586526-E97F-11D2-905B-24FD04C10000}\ToolboxBitmap32\ = "C:\\RECYCLER\\20251325\\CALEND~1.OCX, 1"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\FLAGS\ = "2"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E586523-E97F-11D2-905B-24FD04C10000}\1.0\0\win32\ = "C:\\RECYCLER\\20251325\\CALENDARX.OCX"	clock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E586524-E97F-11D2-905B-24FD04C10000}\TypeLib\ = "{4E586523-E97F-11D2-905B-24FD04C10000}"	clock.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2376	wmic.exe
Token: SeSecurityPrivilege	2376	wmic.exe
Token: SeTakeOwnershipPrivilege	2376	wmic.exe
Token: SeLoadDriverPrivilege	2376	wmic.exe
Token: SeSystemProfilePrivilege	2376	wmic.exe
Token: SeSystemtimePrivilege	2376	wmic.exe
Token: SeProfSingleProcessPrivilege	2376	wmic.exe
Token: SeIncBasePriorityPrivilege	2376	wmic.exe
Token: SeCreatePagefilePrivilege	2376	wmic.exe
Token: SeBackupPrivilege	2376	wmic.exe
Token: SeRestorePrivilege	2376	wmic.exe
Token: SeShutdownPrivilege	2376	wmic.exe
Token: SeDebugPrivilege	2376	wmic.exe
Token: SeSystemEnvironmentPrivilege	2376	wmic.exe
Token: SeRemoteShutdownPrivilege	2376	wmic.exe
Token: SeUndockPrivilege	2376	wmic.exe
Token: SeManageVolumePrivilege	2376	wmic.exe
Token: 33	2376	wmic.exe
Token: 34	2376	wmic.exe
Token: 35	2376	wmic.exe
Token: SeIncreaseQuotaPrivilege	2376	wmic.exe
Token: SeSecurityPrivilege	2376	wmic.exe
Token: SeTakeOwnershipPrivilege	2376	wmic.exe
Token: SeLoadDriverPrivilege	2376	wmic.exe
Token: SeSystemProfilePrivilege	2376	wmic.exe
Token: SeSystemtimePrivilege	2376	wmic.exe
Token: SeProfSingleProcessPrivilege	2376	wmic.exe
Token: SeIncBasePriorityPrivilege	2376	wmic.exe
Token: SeCreatePagefilePrivilege	2376	wmic.exe
Token: SeBackupPrivilege	2376	wmic.exe
Token: SeRestorePrivilege	2376	wmic.exe
Token: SeShutdownPrivilege	2376	wmic.exe
Token: SeDebugPrivilege	2376	wmic.exe
Token: SeSystemEnvironmentPrivilege	2376	wmic.exe
Token: SeRemoteShutdownPrivilege	2376	wmic.exe
Token: SeUndockPrivilege	2376	wmic.exe
Token: SeManageVolumePrivilege	2376	wmic.exe
Token: 33	2376	wmic.exe
Token: 34	2376	wmic.exe
Token: 35	2376	wmic.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2672	clock.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1528	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	30
PID 1048 wrote to memory of 1528	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	30
PID 1048 wrote to memory of 1528	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	30
PID 1048 wrote to memory of 1528	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	30
PID 1048 wrote to memory of 2340	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	31
PID 1048 wrote to memory of 2340	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	31
PID 1048 wrote to memory of 2340	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	31
PID 1048 wrote to memory of 2340	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	31
PID 1528 wrote to memory of 1392	1528	SysClock.exe	33
PID 1528 wrote to memory of 1392	1528	SysClock.exe	33
PID 1528 wrote to memory of 1392	1528	SysClock.exe	33
PID 1528 wrote to memory of 1392	1528	SysClock.exe	33
PID 1048 wrote to memory of 2376	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	32
PID 1048 wrote to memory of 2376	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	32
PID 1048 wrote to memory of 2376	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	32
PID 1048 wrote to memory of 2376	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	32
PID 1528 wrote to memory of 1392	1528	SysClock.exe	33
PID 1528 wrote to memory of 1392	1528	SysClock.exe	33
PID 2340 wrote to memory of 2168	2340	cmd.exe	36
PID 2340 wrote to memory of 2168	2340	cmd.exe	36
PID 2340 wrote to memory of 2168	2340	cmd.exe	36
PID 2340 wrote to memory of 2168	2340	cmd.exe	36
PID 2340 wrote to memory of 2028	2340	cmd.exe	37
PID 2340 wrote to memory of 2028	2340	cmd.exe	37
PID 2340 wrote to memory of 2028	2340	cmd.exe	37
PID 2340 wrote to memory of 2028	2340	cmd.exe	37
PID 2608 wrote to memory of 2672	2608	taskeng.exe	42
PID 2608 wrote to memory of 2672	2608	taskeng.exe	42
PID 2608 wrote to memory of 2672	2608	taskeng.exe	42
PID 2608 wrote to memory of 2672	2608	taskeng.exe	42
PID 1048 wrote to memory of 2484	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	44
PID 1048 wrote to memory of 2484	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	44
PID 1048 wrote to memory of 2484	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	44
PID 1048 wrote to memory of 2484	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	44
PID 1048 wrote to memory of 2736	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	46
PID 1048 wrote to memory of 2736	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	46
PID 1048 wrote to memory of 2736	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	46
PID 1048 wrote to memory of 2736	1048	JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56862ecfc66c6941e12357f602424b25.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\RECYCLER\20251325\SysClock.exe
  C:\RECYCLER\20251325\SysClock.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\RECYCLER\20251325\SysClock.exe
    C:\RECYCLER\20251325\SysClock.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\RECYCLER\UPX.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\sc.exe
    sc config schedule start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\sc.exe
    sc start schedule
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2028
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic process call create "At 13:26 C:\RECYCLER\20251325\clock.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im clock.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im clock.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

C:\Windows\system32\At.exe
At 13:26 C:\RECYCLER\20251325\clock.exe
1⤵
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {7AD1624E-A4C9-4BA7-A285-7AF90C6BFA21} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\RECYCLER\20251325\clock.exe
  C:\RECYCLER\20251325\clock.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\20251325\SysClock.exe

Filesize
476KB

MD5
56862ecfc66c6941e12357f602424b25

SHA1
c0ad1a78286d3f6e11492d0fbcf305f02f73a28f

SHA256
5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f

SHA512
3eda14f758cc3e7a3df5a88e9da817729b93b8955a34b6c0cd26a67b7eb750a7ba487e2305974e457b5258b4c79c1d21d863e7ca05c67718e2fdf1164cd67369

Download Submit
C:\RECYCLER\20251325\clock.exe

Filesize
312KB

MD5
ecdbc11b58c35d6d0779520e8096b83d

SHA1
3a0e1e44d423349bbde859b8728fc22d6d8d69dd

SHA256
7adf76381eb4cd6b14b12764601ebd4af03713a626c54bf0138ed559d6114c9b

SHA512
f9ac1ed20c9c20508650a3ad4150cd5d52c2b4d74b275e3d38c8a4a507b2bddd9789f115dd666a493ee2a779beb1a1f8361d2594b3c6560520bd7cec04a63c48

Download Submit
C:\RECYCLER\UPX.BAT

Filesize
51B

MD5
496ede5f4af744ec169eeafc494593aa

SHA1
df7137e28043cc3d1fd18b7ede50d49497ddab11

SHA256
a74b48576dd2e5c8d3f14b9afb28f6947ab6c0c8632c0d4b447d64454d9ad2ff

SHA512
44309ae8ed29eb5619fe38dad62445bd741cd0c25271f36da03fc6fa1072b15bf70f5b88e89db8f10b41c4ef8c876c8a8e1d9e051a20de05accd0acf0583d4d0

Download Submit
\RECYCLER\20251325\CalendarX.ocx

Filesize
32KB

MD5
2e2c9d22a7b3afb6443a49888383658b

SHA1
c5749e89e9ca318e0ccdaffd911d974809ef0ffd

SHA256
e10a6bc9baddff78970faeb6884d3447e39fcb0c1d9863d5153b521ea88a3e5d

SHA512
494f36d11a49874587e29c07fe4235f095ec00b0a599400bc4abf1f2453afae91d8f22afda6fa1917fac6114f8942104f5ce0f6ba72263bd09dd3978b03396ec

Download Submit
memory/1392-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1392-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1392-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1392-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1392-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1392-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1392-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads