Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 20:03

General

  • Target

    0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    0041e68c1e6e5894f3257688e898e8e8

  • SHA1

    4e8a8bbd7d3a1f45e02505780da9079af5fdb89d

  • SHA256

    6a552dc09ebd93d33e54831a3d0d1951b838a79df1e2d7c6fc73a1bbcb515ce4

  • SHA512

    649852a2555d52cc37a7ba822cef75932fa2b03591e8a6696f6135f9b38ab187f8c975467006cd6dfa25e2cabe840ae64e2894ece0dcfaa5e94b30b9b75d0a29

  • SSDEEP

    3072:17CaO7x8fC8t52oj2+rKttHkoIIu6kfif20wNA:17pON8aoi+wKodjkqfXC

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2052
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2898300.dll

    Filesize

    113KB

    MD5

    756629819676fecd59d410cbd7e63ed2

    SHA1

    a774b4a83ecea402c90665c8de0875f2b6eebb1e

    SHA256

    598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226

    SHA512

    8022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989

  • C:\Program Files (x86)\Bwxy\Gwxyabcde.gif

    Filesize

    115KB

    MD5

    f065dfec0f0f7433f7db441053cfedd0

    SHA1

    1de022600cef1d2c0f1de30ed712176302953fcb

    SHA256

    69dccb4b21ff42c305f02dfa1b4031df51caf1fbcbfd5740e2401e3d759b4ddb

    SHA512

    0bd0062aea8887de7446dce1a8227e7abbdf30744c811cef3e12878512a8e1ca837a6bafe34dcd44a061d588460818315345a0b47a1ccdf760630f4fce00a9fe

  • C:\WinWall32.gif

    Filesize

    99B

    MD5

    e5ebe7ae0c59b2bbb1afa726567db18b

    SHA1

    3be1443373a20a1ecee46d1c133222c28b492e86

    SHA256

    62abdd99f21f2a944dca412a0b691d6f652d0c50df28dc29c0fb96bb536e8a89

    SHA512

    725504210eabf5d60a3825a5dc6b5feba4718f3ef0384fec3e67f98b2faef2832f7c7ee5b40a6027ffb1599a93048424b67c6b1c4f1ebe55853a489bf45ddb75

  • \??\c:\program files (x86)\bwxy\gwxyabcde.gif

    Filesize

    12.0MB

    MD5

    2433c2f3efd9c757dc48bc8ae4bb9672

    SHA1

    dae03ca287ebf8f8ff81b65ff2f7f357e4008d4f

    SHA256

    e34e859b38d8fc50ddfee9081e20634c7ba9718c3cbe8c4cfaf52c5bc47dfe57

    SHA512

    99b25d3377e0b7f2b051b4cff06e765f4b6aae19896782ff2621076792dd4a53a61158052a389dfc0f40d5f9d066db1e553aad9a8e769de3625f3a7dca07b41f

  • memory/2052-9-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB