Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 08:25
Behavioral task
behavioral1
Sample
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
-
Size
126KB
-
MD5
1a97c21ab895158257adf055ccd6cf3e
-
SHA1
5697ad1e9878370ea1f5db00e85298409d489e2b
-
SHA256
c792acee0987ac17474c1dc846b0c0a1ae2a81a7f08151ffab2754d96085c5cd
-
SHA512
d58d6ed83d30a94359cfef3605c08d921ad49c5b64ef4def8a1c2d883a83ef2d17f12958630738bf2105f9aa9b9c786b87bb19557efb01811c7eec4045f0e510
-
SSDEEP
3072:41UNGB+I0Oy8uIqn904rKttHkoIIuZkfiXqCYNg:41UQpu8Hqm4wKodkkqXBm
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule C:\1062300.dll family_gh0strat \??\c:\program files (x86)\fbcd\kbcdefghi.gif family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3948 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exesvchost.exepid process 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe 3948 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Fbcd\Kbcdefghi.gif 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe File created C:\Program Files (x86)\Fbcd\Kbcdefghi.gif 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe 3948 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 672 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeBackupPrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeBackupPrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeBackupPrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe Token: SeRestorePrivilege 3328 1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1062300.dllFilesize
112KB
MD5339e612cfa378411cff35260fe3084a0
SHA1cc9e82478958e14d7b3a7d404ada2d5745ae3b8e
SHA2567d1220a54ae455ce49db678c94b275191585fecb4d4c8d6aee9a3421eaa65289
SHA512fe1caa47b925296528ed549210756cb890ea735ed56a3d451e0af61f8b83bdbcda6404a91111b632154e0276e3c88c98eef11edd7dd140f31045d57dfec4839f
-
C:\WinWall32.gifFilesize
99B
MD568bb751f81cdc71002d735609798b43f
SHA12df9e62aec310cd498d6dd6326a390c783f1559f
SHA25644574ae1e000d02ef0b16e44d2a43942bc0c12cf14ca1506583271b4b2c9d29a
SHA512e8d65dbf74953d5d16997172f8e985227026e0f8c49782c6e932176ff2a661818ff633dd9b29a19d4ab2d8a5fbb1f6f2d0c9ae58e01670c979062c867da9b779
-
\??\c:\program files (x86)\fbcd\kbcdefghi.gifFilesize
5.4MB
MD5b489da46fc3a0177b363d3fc007c87eb
SHA182fd8585292ac980de36d7dbeb4847b6d5f75806
SHA256bceb9de528ff1cbbedc0ba24761b40132b565933283cc0934ea4b98a7665dcb9
SHA5122885b95ba1184bd7357c26df92ef24b63b09dad26901170d2f9cd6333a9558d356a27a748192a6d2a995dc6dacef33c233f7c5becbd5dc8e838ed230f0504208