Overview

overview

10

Static

static

8

上万免�...��.url

windows7-x64

1

上万免�...��.url

windows10-2004-x64

1

完整商�...��.url

windows7-x64

1

完整商�...��.url

windows10-2004-x64

1

AFT注册�...��.exe

windows7-x64

10

AFT注册�...��.exe

windows10-2004-x64

10

AFT3.exe

windows7-x64

8

AFT3.exe

windows10-2004-x64

7

复件 AFT3.exe

windows7-x64

8

复件 AFT3.exe

windows10-2004-x64

7

复件 AFT3_REG_C.exe

windows7-x64

3

复件 AFT3_REG_C.exe

windows10-2004-x64

3

Kong.exe

windows7-x64

7

Kong.exe

windows10-2004-x64

7

帝王登�...��.exe

windows7-x64

1

帝王登�...��.exe

windows10-2004-x64

1

配置信�...��.exe

windows7-x64

10

配置信�...��.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78259903828ee203e9c6e73d930e2684_JaffaCakes118

  • Size

    10.8MB

  • Sample

    240527-gvcpgaae6v

  • MD5

    78259903828ee203e9c6e73d930e2684

  • SHA1

    6b6785558d34cd2c6ff6677c0b96763f90d00436

  • SHA256

    4179811143d7efe0454ed70b6e83ad56605f02a11742ec8bf4f7ba085d096a40

  • SHA512

    b48a125921db0fc64fadc4047ffc2a882a74d7348d911480022457f7fc412f5abd7d3cd0e626ca2057637b5547aa9fba34f575bba66bf340027f5dbc08d1341f

  • SSDEEP

    196608:xKg5po0SYj0mTMITe1OxHJtmGH5MMG0rRaLUZ/MizlPB98DKyhCwXeAZjJUcpcQE:xKACJY/Tk1OFJEYe0rRJrj8DZhtcT

Score
10/10
gh0stratbootkitevasionpersistenceratupx

Malware Config

Targets

    • Target

      上万免费版本下载基地.url

    • Size

      112B

    • MD5

      e03edacde67b4ecfb021ce78a919d5ad

    • SHA1

      030d933b78757e3bf4f6126bbb357c79ba41db51

    • SHA256

      6df8c53cddaf3fd630fb3a870535d8f840df526f5c1fd10b0d589f3526ff9620

    • SHA512

      9e61567d9fa5e95e5c6bc2688dccf4c2e51bb5aa07b67671fd1babc4e62f63ec40a8324a1ae5f56ec1d19b737639091e38f2fc7523eda8fd9c813b191e71699b

    Score
    1/10
    behavioral1behavioral2

    • Target

      完整商业版本下载.url

    • Size

      111B

    • MD5

      e9489d9e668a1f090c0df3d475eb5433

    • SHA1

      b19aa1848ca5d05a3619eba05e3e3abf1996ab9e

    • SHA256

      2213ef15e09230e9631aab2150491c47ab8f5a9b1e589eedecdaddca406996bf

    • SHA512

      d33efb730273412f464423f0b06e2dbffd8ef230045bedfa26d3dc5df70e21d3429579feb09b21ca9410a1aaefb0b5b3514346b4654f6076b4c53e27d5edd532

    Score
    1/10
    behavioral3behavioral4

    • Target

      AFT注册码生成.exe

    • Size

      863KB

    • MD5

      6d948bbda3c46e111059a3ff1956f375

    • SHA1

      6b578d938233a025b07e0ee49745e3082d9cd905

    • SHA256

      215fce2d786cdf7b326ef31e5714476dcf50b82d3b5109101dbf02bac370ca43

    • SHA512

      f52703bd836d4958409768ce9b39df4846343081670a8e64cde7bc822975ab47f4fea3e52c8df2c4403f1de0b1d56fb387167e7dcfea8f92018352f7815e7649

    • SSDEEP

      24576:GuZqtYlG4X82BERr6Xf0UyaWHhzsS0HsNLFWd:PlG4X82Xfm3hzxNNLG

    Score
    10/10
    gh0stratrat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      AFT3.DAT

    • Size

      3.6MB

    • MD5

      80bc3ce0438ff64aa9ec33c6b84adf3f

    • SHA1

      0f0111051e767eb312e3531676f397ddba6e0420

    • SHA256

      1644bfadc5ca995a21811d0453d6e111b9e0ffcc11ecd48a17126a919e084fd8

    • SHA512

      19b90987d12299116c8e4f882b5aea379f84ada2b391243ed75984063a4fc492d2ebd2b30a5d720abd00caf0ff63f0602c40304e3134bfa1c20c09c7e9876cef

    • SSDEEP

      98304:HH9r3/1KpwxtTbBsTIjchOlTIaN0qFNuK/abr:nx1J+8jcETIO0lH

    Score
    8/10
    bootkitevasionpersistence

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      复件 AFT3.DAT

    • Size

      3.6MB

    • MD5

      5e0e2413f15cb07b0e55b27be7fe91ab

    • SHA1

      57dc490965158f7e24376515e9d05bec0d34e163

    • SHA256

      b5c1356d1d1e311ffd4dbc28f87bcaa18687f565dbf5cea7630757a9e89e96e0

    • SHA512

      75911f94e30476d142a9bc6817270bb301589d13e33f691b3879fc8997eebe1b1cf6f34c2a5fbe474aa0750b04957d7b7c6f9d03440bf42721d910e2b69fa168

    • SSDEEP

      98304:4H9r3/1KpwxtTbBsTIjchOlTIaN0qFNuK/abr:Gx1J+8jcETIO0lH

    Score
    8/10
    evasionbootkitpersistence

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      复件 AFT3_REG_C.exe

    • Size

      1.0MB

    • MD5

      efbc9779df0f1f69ef163493a53a7402

    • SHA1

      9982fc5e1ac907348da595c88c1b8ec72b60af2f

    • SHA256

      9bfe284c4cfdcec04fd97ba8c33e50fd10cb708a88e77989caef2b69b29a2ce7

    • SHA512

      90b9c2aa95f45f6159f5ef92be61243f0825b003ceffbdb314296028495931288759bb662e85a4da31c4eb0149962325954d923a728ad8bdc36b6a1409d51e17

    • SSDEEP

      24576:vAvFURn7dJCltaoRkTUUDao5oVI6zXMaQQB5:vuFUfglthRkdanDVl

    Score
    3/10
    behavioral11behavioral12

    • Target

      Kong.dat

    • Size

      1.7MB

    • MD5

      cd1684a44d1438ed2d9219ac4096cb18

    • SHA1

      d7d4e7755adeea59b1b41c82073981498fe4d238

    • SHA256

      64bbb9fd022e8c22eebec9ca120ffae52d18320387f474026e2dbbae6fa72da5

    • SHA512

      e4bcdc83912a4f8de51c2169ab97f02cbb7513ad478ff8412fef94febeae80676c13af8fa42349c5b72ec8d6bf592452292aa4f7d9e02d68875ea37ec71f3d50

    • SSDEEP

      49152:n4qgpI6JC0FKVbd1fWozTijNTFydj2NY0jnCrNWZ/:n4qgpJJ1EFWoTiBTFQSNY0jCr

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

    • Target

      帝王登陆器生成.exe

    • Size

      662KB

    • MD5

      4d2b68fa9018fa24c7ab936717a49316

    • SHA1

      b3dbc628d9fbca967e25d7ea028b1b3ae0d18834

    • SHA256

      affa9915b2f509bb2692da7ea298581deb2dff3a6005d791cfc534298aa5e876

    • SHA512

      b2d64b0696424efdec96e785438f10bc5ce63f084bb4979f917701c4e41d3e70bb2f52f11c6dc0fd3a09e1ce5f1b920bc28f04cee803da09189e4492548cb811

    • SSDEEP

      12288:uT6ZI7ZTkQLnHQHL7P+b8DukMgx4o8b4GYVJ:SAI66nwHfGbcujpo7GYV

    Score
    1/10
    behavioral15behavioral16

    • Target

      配置信息生成器.exe

    • Size

      619KB

    • MD5

      f26b30c46ee7cb371175d7b1278a0dd2

    • SHA1

      816fa3a252f4e8e8cacfcb8c2b263073dc08bab7

    • SHA256

      2dd6744f3e608e8cca06968a9a0d64e9e505ae25159903e2f5703c253b6ee85d

    • SHA512

      1550573bb85d5175b269955e7f1857e943d430fa061b71ce9ffd955ada06f78215964f18c6e815fd464ce7f91da2682e62cad53f2aa084b6f2a9efe2e619fca8

    • SSDEEP

      12288:jeuZqtYlG4I8oTsYf+L9n3c42jHe0Q1KZAej+Pu+W9Up:auZqtYlG4IfTs6+JEI1IaPt

    Score
    10/10
    gh0stratrat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Tasks