Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 19:54

General

  • Target

    0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe

  • Size

    163KB

  • MD5

    0039d222ef7f9efa1edd0fbb6f139776

  • SHA1

    f5f8cbec874f5e63915336d63f7ee330fc1d1a90

  • SHA256

    18c74194c77c1c5a201204d99a7bfde3a8d479f08963608639de96c19ce0b417

  • SHA512

    7e659c6c4c5263d8cea5d98fe4a811878775d4a413608793a7c67b1ebd2a84422098ee85f3de5ecd1457badbaa5dc636536cfc1f147a9c827cabaf71b492e930

  • SSDEEP

    3072:XbSMy0zCBVwYdOeKRMdh2nSGb+7j/a+7KbvaYbjY6VOp7yL3O/+6s56:Xbhy0zClOeYMdshb+7j/37KbvaYb06sB

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\0039d222ef7f9efa1edd0fbb6f139776_JaffaCakes118.exe"
      2⤵
        PID:1548
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
      1⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe c:\windows\fastuserswitchingcompatibilitybeas.dat, abcd
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4616
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\fastuserswitchingcompatibilitybeas.dat

        Filesize

        111KB

        MD5

        f935ac980f3d29f82e2be3e68593fdaf

        SHA1

        cc8c6d9f9bdf0eee1681e90fee54b907390883cb

        SHA256

        4bf21f324deb1549115c730ef290333ea0438f03a934fb119b862e961e765f53

        SHA512

        7c04aa685ad36efac2c9fd637fc403b8085961358991f88506e51969f1eff300fc1bb0fb0c4ef8716686b8f1f0bdcf2e578c95c4d4defb9507c6c7bdee1f4599