Overview

overview

10

Static

static

10

b03889b9eb...18.exe

windows7-x64

10

b03889b9eb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    b03889b9ebf63154d70c97cea89f13a5

  • SHA1

    51d2cef64e6db8029d2d206f6865ad07cf36ae76

  • SHA256

    7c6c3b4d687b1e46697b497df7821e1f47d82a68fdcdf3fde48f5b358b330771

  • SHA512

    a5bbc9d5d5cb426eb955f728dac15f2351897712f4f766a2e5fa0334e41ddbd3d7fd59d2046e283fe3353ad625f6410292c88c58e255ff3921a2729bba394166

  • SSDEEP

    1536:vqEA70HzLJksPEOajozLElnqiO29dJ/tHi:vXTLJkQ7zAV3NtC

Score
10/10
gh0stratrunningratpersistencerat

Malware Config

Extracted

Family

gh0strat

C2

post.f2pool.info

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:4216
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "lsass"
    1⤵
      PID:1036
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "lsass"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\SysWOW64\lsass.exe
        C:\Windows\system32\lsass.exe "c:\users\admin\appdata\local\temp\240644781.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1128
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
      1⤵
        PID:2300

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\240644781.dll
        Filesize

        37KB

        MD5

        a0e293ba67e126846d68fd2a401f1458

        SHA1

        69643cdfb2eab46c73a20b335b89df990a360fe8

        SHA256

        ceb1f2ee865afc433df501a66f57155ce2478f7901a05a3d11851a81e24e7d8b

        SHA512

        d8109bcef384554881dc7772c2b63cf6f290bcc1834716434260e26a773e62dcb38186b087f5a5a382da9c2b971862eb99af22c619cd77b69105b1ac00fb64fc

        Download Submit

      • C:\Windows\SysWOW64\lsass.exe
        Filesize

        60KB

        MD5

        889b99c52a60dd49227c5e485a016679

        SHA1

        8fa889e456aa646a4d0a4349977430ce5fa5e2d7

        SHA256

        6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

        SHA512

        08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

        Download Submit