Overview

overview

10

Static

static

10

f2ef5cde02...18.exe

windows7-x64

10

f2ef5cde02...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2ef5cde02e79c38338e7bb163d63b5f_JaffaCakes118.exe

  • Size

    134KB

  • MD5

    f2ef5cde02e79c38338e7bb163d63b5f

  • SHA1

    3d272166feefc6bf275182bf57c9d12fc0bd5fcc

  • SHA256

    ff1a30e56965197f69bb88572482f53816230b416924d30097dcce9bcb0c32ee

  • SHA512

    086b88e9385419978f04f6a8a3d0dc7ebd8b8c66ac99d2218b8f9b2398d9e2ed51d49ec4587e451ea19ce156e1f7c0dfd624b025dc182936b9d0c3cfc962203b

  • SSDEEP

    3072:MMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwK5iGHeqovv:M3JVGpxx9b3wZuwK4GHeqo

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2ef5cde02e79c38338e7bb163d63b5f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f2ef5cde02e79c38338e7bb163d63b5f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:628
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\3042900.dll
    Filesize

    101KB

    MD5

    6be72d4ad0a31518eb3b3b819cfd5b9b

    SHA1

    314beb3e971046d636cbb2d55c8c48000f62d9fe

    SHA256

    193f711c4563a59608047a6326a396631536bcf0bc6a01e1a9b28cdb380d3861

    SHA512

    43dbe3f541c9a9604c9f11a79112a0c3f22ec5701167d08558ec8392f7b07a9ab769c3c623b6085cb3fa00664687331daa929dcd3274a265d7261e0d024cc59c

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    ff9c55becd1b9d495db040194c71858a

    SHA1

    62b88a3da2a9ec77b13dcef65abbd3dbf7408bfa

    SHA256

    c6f4ea1d450175564cd8a8fe5579c8d89e56a1fe24555cdbb63e625ff96b2359

    SHA512

    3a9146bb8e8877c52d8656d90b868d3d68bc38c9f3ced20717f373a0043f91c591981a0ca1b5367c573c8d9ad43a82ef77e37868b30b5ae02e2622fa31b43e92

    Download Submit

  • \??\c:\windows\filename.jpg
    Filesize

    2.3MB

    MD5

    bb2942800b6df758e8db3dcdea3116b0

    SHA1

    490ffe6e6de56cb7e4c3d44706dcf042b0cc1fd8

    SHA256

    d8b0a9dbe6921bc35ccb454fc5de46af3cd2932be5c9e3fcc98f7a9498604442

    SHA512

    0f1cf46bccd1cae59aa9ed9d3a6a3723e52ee97bda780b27dfe87c3e7856ab363b65f21f15b464ee290a150d736e4b644e1afb446c6507571ee324de9527bceb

    Download Submit