gh0strat | 0cb826c1238a28e8417beb953789ec9fece0d4572da0941779024f2653b6f83d | Triage

Submit
Reports

Overview

overview

Static

static

7

fcefee6d1f...18.exe

windows7-x64

fcefee6d1f...18.exe

windows10-2004-x64

Sharing

General

Target

fcefee6d1fce90af5fa38bc30152ff7d_JaffaCakes118
Size

193KB
Sample

240420-rhsv2aad25
MD5

fcefee6d1fce90af5fa38bc30152ff7d
SHA1

80b754cebdb85969c5ebed0efe4774e0555238dc
SHA256

0cb826c1238a28e8417beb953789ec9fece0d4572da0941779024f2653b6f83d
SHA512

3c1fc34243e914b61db7a95ed6a1026685bae38c3625aed95cb0bb7f6b1b2f9f9510141eb1cc95d6eb0e25c5a3c4f38eb0ebe77f7af16cc8673b117be69b3bcc
SSDEEP

3072:rC1LJUgnLKPzB1B9X4RO6wdjAE0pKWfx2/00UVCrprfEo4jFI:ruLmwkBPlwO6QjAVpKu3JVCrpbEtI

Score

10^/10

gh0strat rat vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

fcefee6d1fce90af5fa38bc30152ff7d_JaffaCakes118.exe

Resource

win7-20240221-en

gh0strat rat vmprotect

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

fcefee6d1fce90af5fa38bc30152ff7d_JaffaCakes118.exe

Resource

win10v2004-20240226-en

gh0strat rat vmprotect

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  fcefee6d1fce90af5fa38bc30152ff7d_JaffaCakes118
- Size
  
  193KB
- MD5
  
  fcefee6d1fce90af5fa38bc30152ff7d
- SHA1
  
  80b754cebdb85969c5ebed0efe4774e0555238dc
- SHA256
  
  0cb826c1238a28e8417beb953789ec9fece0d4572da0941779024f2653b6f83d
- SHA512
  
  3c1fc34243e914b61db7a95ed6a1026685bae38c3625aed95cb0bb7f6b1b2f9f9510141eb1cc95d6eb0e25c5a3c4f38eb0ebe77f7af16cc8673b117be69b3bcc
- SSDEEP
  
  3072:rC1LJUgnLKPzB1B9X4RO6wdjAE0pKWfx2/00UVCrprfEo4jFI:ruLmwkBPlwO6QjAVpKu3JVCrpbEtI
Score

10^/10

gh0strat rat vmprotect
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratratvmprotect

behavioral2

gh0stratratvmprotect

© 2018-2024

Terms | Privacy