Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe
-
Size
96KB
-
MD5
1ae7a739ce28d965a88dc7d29d348d2d
-
SHA1
4819a9508ab05de1180b6ae110d350937b383dd3
-
SHA256
3cfba09cb18312624a33d7ccfec0ae8a8bfcca8f309302acb78243dd748896c1
-
SHA512
3c12ded99f0ac053d4e5901512f26d43af8dc4d9ac35d64b1aa5686180460ad8330f97e00054ba154d4550c3c2d7016034a0ee164f601ef378e8ecc3f6743a82
-
SSDEEP
1536:uJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr65dBM+9:ufS4jHS8q/3nTzePCwNUh4E90dBM+9
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule \ProgramData\Storm\update\%SESSIONNAME%\cvqxm.cc3 family_gh0strat behavioral1/memory/2556-23-0x0000000000400000-0x000000000044E2AC-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
hylftrngyvpid process 2556 hylftrngyv -
Executes dropped EXE 1 IoCs
Processes:
hylftrngyvpid process 2556 hylftrngyv -
Loads dropped DLL 3 IoCs
Processes:
1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exesvchost.exepid process 2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe 2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe 2616 svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\ytjuyvgyru svchost.exe File created C:\Windows\SysWOW64\yksrmuagsh svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
hylftrngyvsvchost.exepid process 2556 hylftrngyv 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
hylftrngyvsvchost.exedescription pid process Token: SeRestorePrivilege 2556 hylftrngyv Token: SeBackupPrivilege 2556 hylftrngyv Token: SeBackupPrivilege 2556 hylftrngyv Token: SeRestorePrivilege 2556 hylftrngyv Token: SeBackupPrivilege 2616 svchost.exe Token: SeRestorePrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeSecurityPrivilege 2616 svchost.exe Token: SeSecurityPrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeSecurityPrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeSecurityPrivilege 2616 svchost.exe Token: SeBackupPrivilege 2616 svchost.exe Token: SeRestorePrivilege 2616 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exedescription pid process target process PID 2296 wrote to memory of 2556 2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe hylftrngyv PID 2296 wrote to memory of 2556 2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe hylftrngyv PID 2296 wrote to memory of 2556 2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe hylftrngyv PID 2296 wrote to memory of 2556 2296 1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe hylftrngyv
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\hylftrngyv"C:\Users\Admin\AppData\Local\Temp\1ae7a739ce28d965a88dc7d29d348d2d_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\1ae7a739ce28d965a88dc7d29d348d2d_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Storm\update\%SESSIONNAME%\cvqxm.cc3Filesize
19.0MB
MD557267006514ad8b0ff7ff214e78f13ff
SHA17cba59ebd93e07241fc8e954a7aeb0e8f60fcc16
SHA25675d7d931e1a665d4830ad0886141c2bb5e4197ba775c34688375ba2d102564a6
SHA512dbee3c3d366d30029e0ffb7cabee3d17948d3d4caecc9a14ce2621257e18fd220adfc78cae46794ec77286215573afe927c2f7bc8d53fc56408b39857f7a69cb
-
\Users\Admin\AppData\Local\hylftrngyvFilesize
20.1MB
MD5eda26b84c3d37058d279eea978333303
SHA10c3319ac50bb1e88e13fc6f3bd2a4d87160b9065
SHA256f4747bbad5366bcd937af0e673395a0c2051746efb3c99036b7bca521c7f6bc5
SHA51267c9c6d7b671c5f947b8c227b1e64ad60862bcb26c56ea78e739abffa102b3134e797a4198a063ba81a210cd500ce1f18555aae65c309d06527a1f8ac741248a
-
memory/2296-2-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2296-1-0x0000000000400000-0x000000000044E2AC-memory.dmpFilesize
312KB
-
memory/2296-6-0x0000000000240000-0x000000000028F000-memory.dmpFilesize
316KB
-
memory/2296-15-0x0000000000400000-0x000000000044E2AC-memory.dmpFilesize
312KB
-
memory/2556-17-0x0000000000400000-0x000000000044E2AC-memory.dmpFilesize
312KB
-
memory/2556-16-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2556-23-0x0000000000400000-0x000000000044E2AC-memory.dmpFilesize
312KB
-
memory/2616-24-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB