Extracted

• • Target

    066e5193d94698b82034ea2149e55f89_JaffaCakes118

  • Size

    5.0MB

  • MD5

    066e5193d94698b82034ea2149e55f89

  • SHA1

    ba2907c9b72469afdd9e61d74a02000960d12371

  • SHA256

    ebe5c1b1c1c0084004c92a3f5f70a88102c76477f218df4eec5cb4b451349e3a

  • SHA512

    de63a58e4062c48fe3d7a05690f98c5fe40150c677a0bdbf1763c4e4f71bf1782927e67f0e37688760b598219681710d80d70220c29f7c54c82b5a168b5a77d8

  • SSDEEP

    98304:jFXSKaSL7oqAJVARqbcmRnLdXKNjk57Xxm1L043b/imFAKzPq/3rybeRq:xXaSLTA00c4c1lL/rZWDbI

  Score

  10^/10

  gh0stratrunningratpersistencerat

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat

  • RunningRat payload

  • Sets DLL path for service in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Creates a Windows Service

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2