Overview

overview

10

Static

static

10

00a62d22e0...18.exe

windows7-x64

10

00a62d22e0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/04/2024, 11:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    00a62d22e0d2bc1191c7cf03303a9b96_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    00a62d22e0d2bc1191c7cf03303a9b96

  • SHA1

    9b228c28e6e571463708eb41cc8127fb1a063114

  • SHA256

    3f046e995d4b615b9ed5cd52372529f54972d7da0dcfbd136c4bd3ff3380fb97

  • SHA512

    cb2ca473925e9bc8a0cad27307fec80444cab874d87dd35b25fe28a2035c6f7299daa75e36695b2cab3744bc2a39df0e524123551527764f575c4acb8368d038

  • SSDEEP

    3072:1fu81m+O6rM/TWeHiYzmhLTIhttHU4o4ugkCiHWwxA:1f/1TMvCYkLTIT64N1kJ2W

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00a62d22e0d2bc1191c7cf03303a9b96_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00a62d22e0d2bc1191c7cf03303a9b96_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1488
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3680

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\2332900.dll
          Filesize

          112KB

          MD5

          152f29d7e22dcc696f30347dcd60ac54

          SHA1

          46f7f0cb14f2bcb23ae85c0cbde26ffdf5917218

          SHA256

          306a49f1d067641875d719a61f128a4a29873b252ed668f4a7a17995352a5c94

          SHA512

          fc17a29cf81180fde87d199b188d4c920f03751e659fa26c2320fe2950ee4381d595cca1c068666207216df1027b4640db29222f4e48a0b6db914acd1ccfa4f3

          Download Submit

        • C:\WinWall32.gif
          Filesize

          99B

          MD5

          64bd63045cfa1c388ae7f1748d961506

          SHA1

          7e2255a6fea978b93a8239aecaa42a2a2e341d20

          SHA256

          2679b307b8e5d695b9c8aba1815af8025dffd19e81ba7d867e55c8501a0ec9ef

          SHA512

          a2db4c75478933f48f192b6c29d859317befc1a12638aa0c7ebc0893cbac2be0ce6c9f971bf6752b97bae6b824c3e716bb42ce91c1b97f5e3af41920eb75556b

          Download Submit

        • \??\c:\program files (x86)\lhij\qhijklmno.bmp
          Filesize

          14.2MB

          MD5

          123f38da94e71643f09ea0c7e5ff919b

          SHA1

          f9377d68a42f5375eb502767f0a093dc072aa02b

          SHA256

          8bb5d84678959de64b7e8af839fb7b1bd66a3c05c39cac32585534fd35deba86

          SHA512

          603382724022a3c45228bc008076b8068d673f77999f85f51a07e69173523cacb9be9ae7b5110a654f9fd1b387f6750d837380b0562b36ecf893e3aba02e1661

          Download Submit