Overview

overview

10

Static

static

3

0ab238b37f...18.exe

windows7-x64

10

0ab238b37f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 20:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0ab238b37fbddd8e042ec6eeb68545ea_JaffaCakes118.exe

  • Size

    376KB

  • MD5

    0ab238b37fbddd8e042ec6eeb68545ea

  • SHA1

    bf4854c93145a9862080450191407094ef804436

  • SHA256

    47b7691a00014a8f36bd21b670d7d81b35f76a31453a4d64db4ec7161e312752

  • SHA512

    f2a91febd47c24b829a6073f03cbe2663397f6a4f139775e3f8719c4320332f90a4c0bd357902a7030f8475d4897e3b315ad87e1a7fe6d000743b06233178cbc

  • SSDEEP

    6144:zIHYsZbS31zXqSNQgeiOKnDYVH0pwpMWEmpRBJ1NuUBY+f7zAF11whggaoHofphy:zIVZel6SOgeiOKEVH0ppWfBJ7XBczmRb

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ab238b37fbddd8e042ec6eeb68545ea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0ab238b37fbddd8e042ec6eeb68545ea_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:432
    • \??\c:\Windows\svchest425075242507520.exe
      c:\Windows\svchest425075242507520.exe
      2⤵
      • Executes dropped EXE
      PID:4076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\svchest425075242507520.exe
          Filesize

          376KB

          MD5

          0ab238b37fbddd8e042ec6eeb68545ea

          SHA1

          bf4854c93145a9862080450191407094ef804436

          SHA256

          47b7691a00014a8f36bd21b670d7d81b35f76a31453a4d64db4ec7161e312752

          SHA512

          f2a91febd47c24b829a6073f03cbe2663397f6a4f139775e3f8719c4320332f90a4c0bd357902a7030f8475d4897e3b315ad87e1a7fe6d000743b06233178cbc

          Download Submit

        • memory/432-0-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-31-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-4-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-3-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-5-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-18-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-32-0x0000000002160000-0x000000000219E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/432-6-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/432-1-0x0000000002160000-0x000000000219E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/432-2-0x0000000002160000-0x000000000219E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/432-11-0x00000000021A0000-0x00000000021A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/432-12-0x00000000021B0000-0x00000000021B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/432-13-0x00000000021C0000-0x00000000021C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/432-14-0x0000000000401000-0x0000000000468000-memory.dmp

          Filesize

          412KB

          Download

        • memory/4076-20-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-19-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-21-0x0000000002050000-0x000000000208E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4076-22-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-23-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-24-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-29-0x0000000000401000-0x0000000000468000-memory.dmp

          Filesize

          412KB

          Download

        • memory/4076-30-0x0000000002130000-0x0000000002138000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4076-27-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-25-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4076-26-0x0000000002050000-0x000000000208E000-memory.dmp

          Filesize

          248KB

          Download