General

  • Target

    05c977d259a8901ec1dbde6308f949b0_JaffaCakes118

  • Size

    96KB

  • Sample

    240623-kv5l2azgpp

  • MD5

    05c977d259a8901ec1dbde6308f949b0

  • SHA1

    d6a17dd673769454ba1c13e7b7208d2461468bc3

  • SHA256

    3f0de8e53c2e158e96f4debbc757ee0f97efa352917b0b6379656944d75475f3

  • SHA512

    8ffe471936cef05cfa593e01af123689467cb01273a3d4a668cd4feeacf1c1805a7e94665f626047a4ede17312f3d762b8338e24e5590e170b9abbbfacb844e5

  • SSDEEP

    3072:oKS4jHS8q/3nTzePCwNUh4E90XBO2coyc:ol428q/nTzePCwG7YBDf

Malware Config

Targets

    • Target

      05c977d259a8901ec1dbde6308f949b0_JaffaCakes118

    • Size

      96KB

    • MD5

      05c977d259a8901ec1dbde6308f949b0

    • SHA1

      d6a17dd673769454ba1c13e7b7208d2461468bc3

    • SHA256

      3f0de8e53c2e158e96f4debbc757ee0f97efa352917b0b6379656944d75475f3

    • SHA512

      8ffe471936cef05cfa593e01af123689467cb01273a3d4a668cd4feeacf1c1805a7e94665f626047a4ede17312f3d762b8338e24e5590e170b9abbbfacb844e5

    • SSDEEP

      3072:oKS4jHS8q/3nTzePCwNUh4E90XBO2coyc:ol428q/nTzePCwG7YBDf

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks