Overview

overview

10

Static

static

10

18007ebfa8...18.exe

windows7-x64

10

18007ebfa8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 23:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    18007ebfa88f13515e9c0c6e342652d6_JaffaCakes118.exe

  • Size

    144KB

  • MD5

    18007ebfa88f13515e9c0c6e342652d6

  • SHA1

    3ebd007660b73f2385e587a64ea1ae55a3799206

  • SHA256

    289af2132a4e26d0178127ee799c3afdcc76f2c9aa61bd817dfb42c1728dee21

  • SHA512

    b04b3c7b525f2b397b634e969b56b213763b953e31563b0730bc163bccb59db7dba400f5f6c2ab99358dcb7e32c3b322dc5146ecfcfb1f16614ab316d041aa9c

  • SSDEEP

    3072:cmggJXDFNoz9lRZCJogwY1tnkv1Y67KrUVPJoZWWRZanAmst:cyuz9XgJpwY1Z8YcSUVyZWWXDD

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18007ebfa88f13515e9c0c6e342652d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18007ebfa88f13515e9c0c6e342652d6_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2344
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    PID:2056

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\2597800.dll
          Filesize

          127KB

          MD5

          2ea11f18ede3b4970adb223dfc70a52e

          SHA1

          dda11f74c1ef67fa6e293c72e10370c8d78c98c4

          SHA256

          857fb383ece98712de558b8e3bb03aa96ef9ed846a8ec08ec4eea20237b98ce4

          SHA512

          b86b1a14c76fe9b2af33e0a44b4ab2eae10a13755228cb8d7856be8413149e55bf0c1a89e3066bb6381f13272ffad402b1587127eeeb6dff905bcee540a15724

          Download Submit

        • C:\Windows\FileName.jpg
          Filesize

          14.1MB

          MD5

          e50bde91cbcb2e7e21d1ae77731031d9

          SHA1

          6e22f7805c3a93f63219fc2d131ac218b4dc009c

          SHA256

          56b34350311c5646f50e02ae15c91863f1a3453e3395899feb33adc28d59d4bf

          SHA512

          694499ff5d294cef35f5a176a56a155491ee38c58e90edfe2f5c0018347048a776337e4722ac9711215f2e0b2ba9d9491fdfbdd13b3f0def2a00641d2e6a0e1c

          Download Submit

        • \??\c:\NT_Path.jpg
          Filesize

          99B

          MD5

          ba40ef4e4a58d7af0e59ef6bd7ec9a33

          SHA1

          c394916de16bcbf2540c2bba488ca9c08bb7bc69

          SHA256

          c0fad946c78ea1994d54628109fe63b043d6321d2a9922acf414ce4191bb7682

          SHA512

          b1f584f9d2ac496ec1f01c2a4b45948ccbc45c0c4c2e8e2d71b21b75e03395c0170f0e2ab4aad9df28c276e095e017672a475b4a46eb1963dcef7201b6e4da7c

          Download Submit

        • memory/2056-12-0x0000000010000000-0x0000000010024000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2344-9-0x0000000010000000-0x0000000010024000-memory.dmp

          Filesize

          144KB

          Download