Overview

overview

10

Static

static

10

231f50b839...18.exe

windows7-x64

10

231f50b839...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231f50b83923b7c69c64b8f7956b2366_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    231f50b83923b7c69c64b8f7956b2366

  • SHA1

    1955c88ddbabe52f2944c731cbe0cbb5936d16ce

  • SHA256

    d243a211ebe831e10ca35baaa2d24b49d119837c6b496e17681817087ecf89e3

  • SHA512

    5eaf7f772087889effed7fd03aad9f5050aa5b1017a0a85bf25272b12943d6c0825c8138f3534b87baa707abf9aa9041a7adca62c2826b276949e32ed4732876

  • SSDEEP

    3072:c7CaO7x8fC8t52ojM+rKttHkoIIu6kfif20wNA:c7pON8aoQ+wKodjkqfXC

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\231f50b83923b7c69c64b8f7956b2366_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\231f50b83923b7c69c64b8f7956b2366_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:372
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2378600.dll
    Filesize

    113KB

    MD5

    7fbf87f4662b6841630613923920cb58

    SHA1

    63398a99546b56d53c4db059e0141b71377d998a

    SHA256

    37086ee6b810b23b6e7786ea804acbd36604dfde5eaae406c219bffffd1f06d9

    SHA512

    aab6055dc1c9380ce63e601dc49f80c0e63179d78a258d6b8e73940459556060755fbfa42f0e11cd498e60fa1bc3d0e44953875ac1f2455fb1339e9fb193fb5f

    Download Submit

  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    b6c9854afcde789f0df40df2765e1879

    SHA1

    0bdb5d01ee42252dfa6207e7cc6defb8f9574f2d

    SHA256

    1d7191a00e31d295562b49285f6b7dd04dffef88834690a3e1a1153e2e9a9c14

    SHA512

    8564b25582b035d26b924914aac1e25ec73dead299cb9c45539a2081c3e710a8a3db4fcddd1e88a33a70b64210b0e620f39d76800c230c7b7694589027d2a554

    Download Submit

  • \??\c:\program files (x86)\rnop\wnopqrstu.gif
    Filesize

    17.9MB

    MD5

    23fd9457dfe062a42d0eb38bce2b1edd

    SHA1

    9c999dea2ab9336028fdf7467462697a33771719

    SHA256

    70a026d46657003bcc1d86ddb13484e93ab972a812d67eb7260d5fe924a6497a

    SHA512

    8254df7288610aba148a23dc758e7d4ed33a44d7646ac3395bb7676584d1354e21642e59f364a14801845efddeee8c53dc370e013c2a5c07d23c808351f9f0ab

    Download Submit