Overview

overview

10

Static

static

10

230876a57d...18.exe

windows7-x64

10

230876a57d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 16:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    230876a57d507995553887fa1c603e14_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    230876a57d507995553887fa1c603e14

  • SHA1

    3a2ae4d54f6ff85dad52267005c4dc09b4fc3c6e

  • SHA256

    cc0f7546d28bb46aa072e1a94e75221a8d00244cfa53b4afc9a0217d9da3395b

  • SHA512

    c2eddefd1f3d98d339c6141cea4564d8841cc99fa9166d39c38ec35f10316f6e3c54bbe1102ed9196dc5dadbe980976edcde98d0239afae2e41d9b6301d0aea8

  • SSDEEP

    3072:V7CaO7x8fC8t52oja+rKttHkoIIu6kfif20wNA:V7pON8ao++wKodjkqfXC

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\230876a57d507995553887fa1c603e14_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\230876a57d507995553887fa1c603e14_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2564
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1740

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\3209100.dll
          Filesize

          113KB

          MD5

          ebb95c2321e080ee885ef60136aa8fa7

          SHA1

          9c89d4b106bb1d7979cc7731efbbee8f3d1ecdc6

          SHA256

          bd6d2d2eb70370b70e94fc49278dee3815bf1589ee2c1bdc7fc0d34bd9b7600c

          SHA512

          e331597f895506b72fc9ef3f694391d084e1daf97bc7b0d9c8e61618fe6694c599ca910156d3965956e00e2fd670752ab9ecc2054f0fc0626a3914594f35d5b8

          Download Submit

        • C:\Program Files (x86)\Fbcd\Kbcdefghi.gif
          Filesize

          8.9MB

          MD5

          161336cd8c2a429a1791ea2098e5f5f6

          SHA1

          5940ff46a508e902fc5d3a52ee7ddf30b2739c65

          SHA256

          5d60094d898440edb0f43c7a1a5fd6e90fd8ec284ef6a7ddc65d0c641cbd1ff4

          SHA512

          2085caa64c2737423874c798e90a545be846299087b4bcaa813b04e49677fa46ae7a61998d625b945f615fb3aa336f079cd8da123046e62e42864f7ac30adac7

          Download Submit

        • C:\WinWall32.gif
          Filesize

          99B

          MD5

          735fdf5598e8303d4b6f2ea69c52f3d8

          SHA1

          2cc85bd29d63b389bc380bd24e471ff7e26b08d8

          SHA256

          e35aa77edbd20cc57f9b40fadce9be9af6a1b680c8ae7f67e1cc983e6f656e9e

          SHA512

          8da0fea65b2ad9fc414329e0ee2b6d3adacee21e5f357c8330c083b74f1e2cd58fd39b34feda1b916ec7331747a9ebafdbbd5d87a518c6679c518563410fb5ce

          Download Submit

        • memory/2564-9-0x0000000010000000-0x0000000010028000-memory.dmp

          Filesize

          160KB

          Download