Overview

overview

10

Static

static

10

231f50b839...18.exe

windows7-x64

10

231f50b839...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231f50b83923b7c69c64b8f7956b2366_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    231f50b83923b7c69c64b8f7956b2366

  • SHA1

    1955c88ddbabe52f2944c731cbe0cbb5936d16ce

  • SHA256

    d243a211ebe831e10ca35baaa2d24b49d119837c6b496e17681817087ecf89e3

  • SHA512

    5eaf7f772087889effed7fd03aad9f5050aa5b1017a0a85bf25272b12943d6c0825c8138f3534b87baa707abf9aa9041a7adca62c2826b276949e32ed4732876

  • SSDEEP

    3072:c7CaO7x8fC8t52ojM+rKttHkoIIu6kfif20wNA:c7pON8aoQ+wKodjkqfXC

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\231f50b83923b7c69c64b8f7956b2366_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\231f50b83923b7c69c64b8f7956b2366_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2160
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2317600.dll
    Filesize

    113KB

    MD5

    7fbf87f4662b6841630613923920cb58

    SHA1

    63398a99546b56d53c4db059e0141b71377d998a

    SHA256

    37086ee6b810b23b6e7786ea804acbd36604dfde5eaae406c219bffffd1f06d9

    SHA512

    aab6055dc1c9380ce63e601dc49f80c0e63179d78a258d6b8e73940459556060755fbfa42f0e11cd498e60fa1bc3d0e44953875ac1f2455fb1339e9fb193fb5f

    Download Submit

  • C:\Program Files (x86)\Rnop\Wnopqrstu.gif
    Filesize

    2.0MB

    MD5

    1cbb56069cc8be316373ee204988e762

    SHA1

    3761d8e5a611300adf4950cbcf59f462811b070a

    SHA256

    2a1abafc0f84aceb948b8d7226f9cb3ba6e7bcceb241e73ea0ee837c111a5e9c

    SHA512

    e5d4fc45e295c61cfb6fd9b395191531b1d1ad4affc0fca997d2bf5ff0f4b401016b2d67918ee9ddfa7b6ea41a2d657c2526e6a8a70f89ec4929ec92e1c56047

    Download Submit

  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    37696bbdfbd9730d238438d083c3fea7

    SHA1

    acf59baa90ae751267ff8e67cd9ac21a33847bdf

    SHA256

    02a3481c6a14c6a07478fef9067da855b4486ee3071dab15bb1b7bf82f8fb741

    SHA512

    98809aa3d392419e47aaea57d5bd6cfe3019e83ff5d155708f5158a684dee66be806799157daecf773a6e9beca076bc55dcdce4402282999f48e640803036d8c

    Download Submit

  • memory/2160-12-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download