Overview

overview

10

Static

static

3

1c454fe32d...18.exe

windows7-x64

10

1c454fe32d...18.exe

windows10-2004-x64

8

instbeta.exe

windows7-x64

10

instbeta.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c454fe32d298824d9523e8ae3001a82_JaffaCakes118

  • Size

    87KB

  • Sample

    240701-yfbx3awbqg

  • MD5

    1c454fe32d298824d9523e8ae3001a82

  • SHA1

    4b905442f67a85c9e12a115e139e944a013da84e

  • SHA256

    08f95ba459816140fed829d11b8972e28f6259ec0c1f65acf767f9e15a529996

  • SHA512

    2f8c56a56f35e2213d0caa172602ff19365cc31d367c2854af7e5deae43d80c3a5b22e343228230fbb096df1c07b2e993f403b61b293ff76525d2d6de2132f37

  • SSDEEP

    1536:OLXB65939tY6HBg4sXJPty0WmtlABS+jOlWHQy76HQfFTaMk96IuWtcth4EvyeHD:OLk395hYXJPt7WOIS+jjXu9JspvD

Score
10/10
gh0stratevasionexecutionpersistencerat

Malware Config

Targets

    • Target

      1c454fe32d298824d9523e8ae3001a82_JaffaCakes118

    • Size

      87KB

    • MD5

      1c454fe32d298824d9523e8ae3001a82

    • SHA1

      4b905442f67a85c9e12a115e139e944a013da84e

    • SHA256

      08f95ba459816140fed829d11b8972e28f6259ec0c1f65acf767f9e15a529996

    • SHA512

      2f8c56a56f35e2213d0caa172602ff19365cc31d367c2854af7e5deae43d80c3a5b22e343228230fbb096df1c07b2e993f403b61b293ff76525d2d6de2132f37

    • SSDEEP

      1536:OLXB65939tY6HBg4sXJPty0WmtlABS+jOlWHQy76HQfFTaMk96IuWtcth4EvyeHD:OLk395hYXJPt7WOIS+jjXu9JspvD

    Score
    10/10
    gh0stratevasionexecutionpersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      instbeta.exe

    • Size

      132KB

    • MD5

      99a7036ae193f891600f49f09555a4b8

    • SHA1

      3cc6274a8bc2c833bf79e11f8e784368dc336118

    • SHA256

      ff49355fb1e2010cd5bf952e4c995665ad03fb137fce9b292e6609e632c784f9

    • SHA512

      6416517c0714e565a430528a35aec427e7bd83bb6a501df1d1abc1a6419cc51cbc29c6ade36b3ef39df5fcb48697e9665506e70442a193e4e6174252d527d1d3

    • SSDEEP

      3072:Y/GiFg7PoO3djYKzhGizuGL0MKBl/uCTnZe:Y/GiFg7rtjYKtbLfKPdZe

    Score
    10/10
    gh0stratevasionexecutionpersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks