Overview

overview

10

Static

static

3

0d67551acc...18.exe

windows7-x64

10

0d67551acc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d67551acc283c7a1985fd021c0dce3f_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    0d67551acc283c7a1985fd021c0dce3f

  • SHA1

    747d6d2825a842699b2c33d9d7fdb9ec0e472733

  • SHA256

    130300709631d7a5b337e4d88d8a994a9a6dfc220dfba8683b4fd7ff0159938a

  • SHA512

    5561650c3950d5970ac36dc992a9c4ca92d0ca49c1b4bfb0372e30fc522765fd4ae61b138b0c27527e675cc709e3b45a6e8e06ed2393a84cb5403dfb136714ce

  • SSDEEP

    3072:eHun0evOvtYzonqSioDXxbuE9w2qbXUeZPtrQ/a/4qxyMlZV:KI0evOvtoSiodbuYzqDvZC/a4qxfV

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d67551acc283c7a1985fd021c0dce3f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d67551acc283c7a1985fd021c0dce3f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1740
    • \??\c:\users\admin\appdata\local\gpvwitbbue
      "C:\Users\Admin\AppData\Local\Temp\0d67551acc283c7a1985fd021c0dce3f_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0d67551acc283c7a1985fd021c0dce3f_jaffacakes118.exe
      2⤵
      • Executes dropped EXE
      PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\gpvwitbbue
    Filesize

    23.0MB

    MD5

    d172ed066ddd499aca393e975097b6bd

    SHA1

    d38c96220666a902bdb24959ea580f1bca82a1e0

    SHA256

    a2b740dbc211c834590d26be3a75f2a252d43b5d732ec40cf9c9f2f18c742711

    SHA512

    2224d81c32e83a48dd1dac621c4125173fdb4a0bc65f10412544ac300f6824f396cce58cbbd79693c5d0091cee36bcc7a5c2d61f92ab5c014c95bfbb9d4eab62

    Download Submit

  • memory/1740-0-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download

  • memory/1740-4-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1740-11-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download

  • memory/1784-8-0x0000000000400000-0x0000000000432800-memory.dmp

    Filesize

    202KB

    Download