Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 20:03

General

  • Target

    0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    0041e68c1e6e5894f3257688e898e8e8

  • SHA1

    4e8a8bbd7d3a1f45e02505780da9079af5fdb89d

  • SHA256

    6a552dc09ebd93d33e54831a3d0d1951b838a79df1e2d7c6fc73a1bbcb515ce4

  • SHA512

    649852a2555d52cc37a7ba822cef75932fa2b03591e8a6696f6135f9b38ab187f8c975467006cd6dfa25e2cabe840ae64e2894ece0dcfaa5e94b30b9b75d0a29

  • SSDEEP

    3072:17CaO7x8fC8t52oj2+rKttHkoIIu6kfif20wNA:17pON8aoi+wKodjkqfXC

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2944
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2950100.dll

    Filesize

    113KB

    MD5

    756629819676fecd59d410cbd7e63ed2

    SHA1

    a774b4a83ecea402c90665c8de0875f2b6eebb1e

    SHA256

    598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226

    SHA512

    8022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989

  • C:\WinWall32.gif

    Filesize

    99B

    MD5

    2c5cc22f8309bf5748f3ecaa4d9c2f44

    SHA1

    3d0f86e7818e0f7ecc44ec71e915b6764d005812

    SHA256

    3da8012a44195f6dc84cd220f229b09332836c40a7ab6e3ec062431fb2a421f3

    SHA512

    2f7630eb2e2ff714efeab1fd4f017738bb732560e118ad8f78592dc2563c478ecbc2048bced898a8e0f89fa7d5bd7b5138ed2b9cb573778fb13d3d6a36752dc5

  • \??\c:\program files (x86)\bwxy\gwxyabcde.gif

    Filesize

    5.2MB

    MD5

    cb764cb38be5290fac82d044633034e4

    SHA1

    5ff539693ba7664bb7551d2560187807de94401c

    SHA256

    793ff674e5dc233df1955043e82f44692dbcaf6939c24d326810340e215ecc6e

    SHA512

    2c9e2bb952ddc843c3cabdaf8652ceec2593f1e0bac7f480b8fb94e28fe7e641b587ac3cd9e6cd523935a16cc67039ef255bce916e294e5396c0863aed2b7d67