Overview

overview

10

Static

static

10

187b0581de...18.exe

windows7-x64

10

187b0581de...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    187b0581de8b305db43aae78ddbb30b3_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    187b0581de8b305db43aae78ddbb30b3

  • SHA1

    615fc51430603ccb2930028844e5791462528d7e

  • SHA256

    32c742fe8ec80b74c64dc0266a5509724aab86cd85b4aa4bc82273190a2a5a8e

  • SHA512

    667ace81371177a6a0f3b5d8aaac3fd89b49f40c2ab5e13011b05f70d7fd84f1dc2ed86b50c242808c6bb47e179f0f743c03aa3446506f1c832d5027a604db3c

  • SSDEEP

    3072:48+UBS4apbbApqx100ljo6bgBvoyFH6uZZuSMgzdG8bf1If0TtkfAi4xO:48+U84apGr0VQzcKzEYf1S0T0Ay

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\187b0581de8b305db43aae78ddbb30b3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\187b0581de8b305db43aae78ddbb30b3_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:1576
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\update.dll
    Filesize

    140KB

    MD5

    256343dede279e702e0044a47a74eadb

    SHA1

    60e9edea701a246a8c6588c78b24cd809e2bbd64

    SHA256

    9ef683dae6c4f3b820963ba2ac2c42d9a5dfb933d9aceb48d5216327fe990a2c

    SHA512

    5a5570dd7c0ba6a27ee8b69792f9bbca713cf9be816d57409c31f00180c9a59c7c2914ed2e0974eb1fdb0936db31d71f9ba33d45e488e791068118cd49d74cb7

    Download Submit

  • memory/1576-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1576-6-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2988-5-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

    Download