Overview

overview

10

Static

static

10

0398d73160...18.exe

windows7-x64

10

0398d73160...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0398d731604fedfb679868be7526407c_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    0398d731604fedfb679868be7526407c

  • SHA1

    5b74ddbdfffcff3c7b436d07ea6212c9a6a52b33

  • SHA256

    78d7793edd5db4eb68a80473e4c49ac29e600ba9ef0a0452940cf003270c6902

  • SHA512

    3346a716cc320803c78c0ebae651f9b72077bf18165f7e2640ae6e1bc3b3d3d4c866a786d3658560e2a19f7fe8efcac881e056d6287eab4959583cdd53f5eb3c

  • SSDEEP

    3072:O7CaO7x8fC8t52ojF+rKttHkoIIu6kfif20wNA:O7pON8ao5+wKodjkqfXC

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0398d731604fedfb679868be7526407c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0398d731604fedfb679868be7526407c_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2684
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1858100.dll
    Filesize

    113KB

    MD5

    c8bc6dabe1c652c3c7d5b1c4c908c284

    SHA1

    595aba99850dad8299854fc4d65f21129cfd28b4

    SHA256

    baf83946f64bf70ddad6d6eb459ce13f67678a33dd58f4318e9c9972453d45c0

    SHA512

    6a3a0bd44a36c23f09623cd0c04da5b8032e67c1413acd88176b80a892419c4495548eb38cd791b08d451fab001ac72cdc40ada93431e497f6acedd828ebc64f

    Download Submit

  • C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp
    Filesize

    4.9MB

    MD5

    f9a03ecd3e9fda4ee098a1189b2dae39

    SHA1

    e5f859a7b5bd71ebc0863a32f802a9275c6c6db1

    SHA256

    14f48377a822403c6da9deff53cc1d7b1d2ce81da7d0ba640360f37318b974cc

    SHA512

    38997f12e4a4842a2ce9a1df89745f4b03bb4fab8e12c61cb4ea2f4863ca6ba21f25ecd498f1531875b2cfe8262b9fb5d4da8284f858d5cae0432393d72b2512

    Download Submit

  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    4aece8f5905cb1ea4d31a7b5ea7d482b

    SHA1

    4e4116117f430f2c523040f15fa389ea7e66305e

    SHA256

    54c0d754ce1f1eb9922827c4245d9c91d090d6943b12d059f8307d7c2fd4d525

    SHA512

    aff04473291908943f493d348eb6a760f12ac2f9c18bec77cea2b8462d624d87bbca8e18f8f6a1d92a4d5a32772ec25b39e7eecf35b77f1bb964598e9f924c1e

    Download Submit

  • memory/2684-12-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download