General

  • Target

    0196fb10ff039b47e7062dddbc35ad60_JaffaCakes118

  • Size

    204KB

  • Sample

    240620-bedzpsvbkn

  • MD5

    0196fb10ff039b47e7062dddbc35ad60

  • SHA1

    dec262381e0af93da3be63614cb12941dc444e23

  • SHA256

    0e3b7dd29df75dfa511944cc5ff44ed5d070e53657dd0e8c7d0a089e080f5821

  • SHA512

    e46e666dbc0fe95f55e09fc3a804df6078fbd11c9ed17007e45963639926fc387b1638207ae57ed5ae4818b559d3946130384ce0da44ef9db3f9f0241500d601

  • SSDEEP

    6144:KsIZ6nW8QZBTyPRqyhYPbncTBlhHrPndnkv0oX:nRW87Jq8YPbncT3m

Malware Config

Targets

    • Target

      0196fb10ff039b47e7062dddbc35ad60_JaffaCakes118

    • Size

      204KB

    • MD5

      0196fb10ff039b47e7062dddbc35ad60

    • SHA1

      dec262381e0af93da3be63614cb12941dc444e23

    • SHA256

      0e3b7dd29df75dfa511944cc5ff44ed5d070e53657dd0e8c7d0a089e080f5821

    • SHA512

      e46e666dbc0fe95f55e09fc3a804df6078fbd11c9ed17007e45963639926fc387b1638207ae57ed5ae4818b559d3946130384ce0da44ef9db3f9f0241500d601

    • SSDEEP

      6144:KsIZ6nW8QZBTyPRqyhYPbncTBlhHrPndnkv0oX:nRW87Jq8YPbncT3m

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks