Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 21:34

General

  • Target

    009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    009dfa5f6f8d806249c03e9d031866cb

  • SHA1

    a4473c9d5590d1dd002710dc5b5864b42c97866a

  • SHA256

    795dce5814389f1f04403f58aff53e9d65eb54088d61690dd5d0365c37bee5e6

  • SHA512

    a11f7dde157add77b3b3ef1594dd16cb954495d8a6b5705467e0770799e573219c4951905f86eaac124c75815ac8b2e9d50c49491c0879567ad649aa526cdc4d

  • SSDEEP

    3072:61UNGB+I0Oy8uIqn9X4rKttHkoIIuZkfiXqCYNg:61UQpu8Hqx4wKodkkqXBm

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1932
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2050300.dll

    Filesize

    112KB

    MD5

    3ba19d0b67c153989655eaf69aa56c16

    SHA1

    b92bf687122ecef4205b6a38cdd41670886d349c

    SHA256

    e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455

    SHA512

    f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e

  • C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp

    Filesize

    137KB

    MD5

    f0bb3c311db8c4cb221dedaa57f582dd

    SHA1

    0d5b66a7279c330bb1cc4bc59df8f8bdc08f282f

    SHA256

    144b1d2a94f49298a2e3d8dd7480192adece2f8604bf3ae9176d12959eaecb7f

    SHA512

    ca81b1ef65d29c3ab797e1928f16c356517a4288c4a3baacf83a2f1981844d3cc467a8ed981920b13a07f6988133efe8010c67ae23ad0759f4475d6f7f882f2a

  • C:\WinWall32.gif

    Filesize

    99B

    MD5

    2939420f6265ad228002b597c540399e

    SHA1

    23fb301e7b3aa2a9ccaaf851e950b100817cea21

    SHA256

    3298b28ec11ee7ae64faf1461e0ffe58c40fc199137d20da4372cc0fb7e155be

    SHA512

    742d712a7988306bed196b4d5e2caf29bec557c9f2ae9c9a8278d150677919022ec6aaf4d30b44d36cdb64eafb84d26dd291f027d1a13573fe41565aed0bc84e

  • \??\c:\program files (x86)\uqrs\aqrstuvwx.bmp

    Filesize

    12.0MB

    MD5

    fcb99b70c7b158fcfe8a50af5301cfd7

    SHA1

    7f94c3b5a44521c8f17ba302de6c16167f857f5b

    SHA256

    5c13ccc72b5a1e880162bdbf95ca46f39156aa444f10420c71bf2cde2a930136

    SHA512

    6a2e1bcee671f3c0d2f4d5d74d9fee7d2fc64405ee67ae3509053d184b9bd51f12a9f551120c48ed312d481ca9b891f2cd05fc3ecdbb97646b5d48977034d10b

  • memory/1932-9-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB