Overview

overview

10

Static

static

10

f1bbb968bd...18.exe

windows7-x64

10

f1bbb968bd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1bbb968bd19abc217e835ce1dcb8e53_JaffaCakes118.exe

  • Size

    117KB

  • MD5

    f1bbb968bd19abc217e835ce1dcb8e53

  • SHA1

    28f0065d7c5751a69e96ca96eb4315d4dfc6c961

  • SHA256

    e16171cfdfd4207352fdd683375cad3473809444e815dda3f23c6b1276ebc38d

  • SHA512

    c1276bbd2794fd89ff3d671131755c3f661a6e7c6056582a6e7cb21779be02a3c97e1d1fbcb50efcd09cb15481aff61f8c37907e92c10af66a9868d994b5394e

  • SSDEEP

    3072:6CwvVlRaD/sIG/nKMmtXy4OxwTo13oM/G1j:6CQxagrCLXLUL13oM/G1j

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1bbb968bd19abc217e835ce1dcb8e53_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1bbb968bd19abc217e835ce1dcb8e53_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:2952
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\install.tmp
    Filesize

    84B

    MD5

    c9b8fac29f3a5b4da7eac963a0bd01b8

    SHA1

    5323995ba5869f3863d839f82f1260bc51b6771f

    SHA256

    7e8361be9d212c1199bfdc9a2ee6fc1fd0947ee5198098835280a6cdfa40e75a

    SHA512

    ffde0bcaad08859286e64250a02981edc17fbe53d6de82e91eae645f3f06fc0d09800b7396f94bf750c71996627eca566085c2fde49869fc09b8b424711efd33

    Download Submit

  • \Users\Admin\AppData\Local\Temp\dll.tmp
    Filesize

    81KB

    MD5

    14cbbe8328d406e60616e06331749834

    SHA1

    938fc38a5a2e01d5602badc5892b6d5383d10039

    SHA256

    670553a42386f83c85c472690baac15babce4a109214825a43f265545d056a4a

    SHA512

    e935cf2a1a0ed0df2a0463bc94b8f01716175449a81cad8b64313dbcb5aaa407a8d16a817b496e14227417aaf058f8d4c14ab67473e1993ea81391f35b63e826

    Download Submit