Extracted

• • Target

    28791769da9ed51d070020058e9c172c_JaffaCakes118

  • Size

    112KB

  • MD5

    28791769da9ed51d070020058e9c172c

  • SHA1

    a9060e5b1c51da2b213917cec15a0ff51aecde05

  • SHA256

    4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9

  • SHA512

    04ea27c1cfe4f4937cdaf204c3883bd395b289e400bf51fa945ca24fecc4813f626e3920445db5fcaa22b1cfdf8ca0922779a87ee993d1dfac7695237d8d1973

  • SSDEEP

    1536:vqEA70HzLJksPEOajozLElnqiO2UdJ/tHi:vXTLJkQ7zAV3mtC

  Score

  10^/10

  gh0stratpersistencerat

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • Sets DLL path for service in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Creates a Windows Service

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2