General

  • Target

    00d45af0b2f1fb5dffed543cd2b328cb_JaffaCakes118

  • Size

    2.5MB

  • Sample

    240623-z35pbswbjr

  • MD5

    00d45af0b2f1fb5dffed543cd2b328cb

  • SHA1

    fdd892754baeac73525a9adba67cb8395d8cb387

  • SHA256

    c0c717a0f91316ca0671b60ab71e3a6c6b8793bac7992a0358e184667e762375

  • SHA512

    7ae6dca00a9b0102445e1f3e1eb3879e2791b76644d0ce80f5f52cd0ef295ebdcf9bd8047d5e0ef729a372a029309ccb73c26d8c829104d9d521205d2e33d5eb

  • SSDEEP

    49152:mUwCYiuHTF5Avd7Z3xBsbzSLQtF7hO3NpYkAm3ImN4glULMVzH39eHf4:mEYiuHYFV3bsqLQtF7M3pvh6sHt0g

Malware Config

Targets

    • Target

      00d45af0b2f1fb5dffed543cd2b328cb_JaffaCakes118

    • Size

      2.5MB

    • MD5

      00d45af0b2f1fb5dffed543cd2b328cb

    • SHA1

      fdd892754baeac73525a9adba67cb8395d8cb387

    • SHA256

      c0c717a0f91316ca0671b60ab71e3a6c6b8793bac7992a0358e184667e762375

    • SHA512

      7ae6dca00a9b0102445e1f3e1eb3879e2791b76644d0ce80f5f52cd0ef295ebdcf9bd8047d5e0ef729a372a029309ccb73c26d8c829104d9d521205d2e33d5eb

    • SSDEEP

      49152:mUwCYiuHTF5Avd7Z3xBsbzSLQtF7hO3NpYkAm3ImN4glULMVzH39eHf4:mEYiuHYFV3bsqLQtF7M3pvh6sHt0g

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks