gh0strat | 2f560daa6a310c4db21068693a05039771b208d16f82af5f1f4a37578f823660

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:42

Target

07c4ca80d58e8cce92088bfebf1b9aa8_JaffaCakes118.dll
Size

66KB
MD5

07c4ca80d58e8cce92088bfebf1b9aa8
SHA1

279562a978bfca0d1364189492bd52f8367c469a
SHA256

2f560daa6a310c4db21068693a05039771b208d16f82af5f1f4a37578f823660
SHA512

c5863268c078d0c946604d9cf292b1c8fa7721d8c3145b6a50f05a0d4030174115901aac977db82d9e895ef464659b880f0e71bcfd6f5e3efee4c20f515f1221
SSDEEP

1536:Cyw/5Ot17NTXLPtY+EGkym0CcWA6fcW8pqIu/:vw/5OLNtYZG9m0CdA8cW8AIu/

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4108-0-0x0000000010000000-0x0000000010013000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4108	2448	rundll32.exe	83
PID 2448 wrote to memory of 4108	2448	rundll32.exe	83
PID 2448 wrote to memory of 4108	2448	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07c4ca80d58e8cce92088bfebf1b9aa8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\07c4ca80d58e8cce92088bfebf1b9aa8_JaffaCakes118.dll,#1
  2⤵
  PID:4108

memory/4108-0-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download