Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 21:34

General

  • Target

    009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    009dfa5f6f8d806249c03e9d031866cb

  • SHA1

    a4473c9d5590d1dd002710dc5b5864b42c97866a

  • SHA256

    795dce5814389f1f04403f58aff53e9d65eb54088d61690dd5d0365c37bee5e6

  • SHA512

    a11f7dde157add77b3b3ef1594dd16cb954495d8a6b5705467e0770799e573219c4951905f86eaac124c75815ac8b2e9d50c49491c0879567ad649aa526cdc4d

  • SSDEEP

    3072:61UNGB+I0Oy8uIqn9X4rKttHkoIIuZkfiXqCYNg:61UQpu8Hqx4wKodkkqXBm

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4516
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1193700.dll

    Filesize

    112KB

    MD5

    3ba19d0b67c153989655eaf69aa56c16

    SHA1

    b92bf687122ecef4205b6a38cdd41670886d349c

    SHA256

    e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455

    SHA512

    f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e

  • C:\WinWall32.gif

    Filesize

    99B

    MD5

    b969039ae2d1718494adfd03aaf66c0f

    SHA1

    02fdec5293fbffeb669fa8e3d47018f24b35dc62

    SHA256

    5a7589ee54fc142fa8506799b2be556ea492bfb41470972926a3a76cef945d9f

    SHA512

    1aa20672525c7b45d742de8bd06e46417c0fda7fc25ec2f5a7200987325c63b3a77211e0d3354ee38df8c50c9276444f7646ba2149fd227af0af743b871f28e7

  • \??\c:\program files (x86)\uqrs\aqrstuvwx.bmp

    Filesize

    767KB

    MD5

    00404d34965d36b8bf7a710212dab364

    SHA1

    12df3da635e2addbc2a27148b8ba32a24f407004

    SHA256

    833272aa01945ea5e277b96b2d0c5504854e4d796b40297935842a00ebd19908

    SHA512

    c2cb6ccf8fed1b94e28e0551dd45c25bb09bcb91a5c4e9c32bfccad6663db11bf2cd818bdb84e19b8abcba8373b321e0d74349405b34168d4263dca7bd570e00