Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 08:25
Behavioral task
behavioral1
Sample
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
-
Size
126KB
-
MD5
1a97c21ab895158257adf055ccd6cf3e
-
SHA1
5697ad1e9878370ea1f5db00e85298409d489e2b
-
SHA256
c792acee0987ac17474c1dc846b0c0a1ae2a81a7f08151ffab2754d96085c5cd
-
SHA512
d58d6ed83d30a94359cfef3605c08d921ad49c5b64ef4def8a1c2d883a83ef2d17f12958630738bf2105f9aa9b9c786b87bb19557efb01811c7eec4045f0e510
-
SSDEEP
3072:41UNGB+I0Oy8uIqn904rKttHkoIIuZkfiXqCYNg:41UQpu8Hqm4wKodkkqXBm
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Fbcd\Kbcdefghi.gif family_gh0strat behavioral1/memory/1584-9-0x0000000010000000-0x0000000010028000-memory.dmp family_gh0strat C:\3015500.dll family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1216 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1216 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Fbcd\Kbcdefghi.gif 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Fbcd\Kbcdefghi.gif 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe 1216 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeBackupPrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeBackupPrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeBackupPrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 1584 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\3015500.dllFilesize
112KB
MD5339e612cfa378411cff35260fe3084a0
SHA1cc9e82478958e14d7b3a7d404ada2d5745ae3b8e
SHA2567d1220a54ae455ce49db678c94b275191585fecb4d4c8d6aee9a3421eaa65289
SHA512fe1caa47b925296528ed549210756cb890ea735ed56a3d451e0af61f8b83bdbcda6404a91111b632154e0276e3c88c98eef11edd7dd140f31045d57dfec4839f
-
C:\Program Files (x86)\Fbcd\Kbcdefghi.gifFilesize
6.1MB
MD5107b692a26b91d40fb9a54f0d1c5e80e
SHA17a3b06cc3d8f4a1b5950a7e15669b29e71bfc134
SHA25629a30197d0df326a107e286e12895e709b246c801da65724acce201687a34f8b
SHA5121780766059cf9dd70f084d086ea5c43fb4de9551e0df2d2ef566bc5711d579a515ba6dbf5fb435ae964776fd196c62bf3c12210960be0e17c778f8197445efb6
-
C:\WinWall32.gifFilesize
99B
MD5df60aecaea2c17b91917cf3c306a9477
SHA123a3decddb8bc25045cbeed4be34cc9fa5915481
SHA256a5ca657eb9df3f8c8b5d0747979bc616d74e69ad6f78d2dc5d0eb52e7f28b603
SHA512251a4335f157170479f062f7b17b593f2026c6dc70238fd9272732de202afae26fbebf05fd8439f66e44260d5840210aa1863e5930c992d06c046061af5bbc28
-
memory/1584-9-0x0000000010000000-0x0000000010028000-memory.dmpFilesize
160KB