Overview

overview

10

Static

static

3

26295f8c31...18.exe

windows7-x64

10

26295f8c31...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 20:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    26295f8c317aee445771bb0f28ab3e0f_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    26295f8c317aee445771bb0f28ab3e0f

  • SHA1

    34cd9cd9fcb61d1a885a5a27b985fd651bc3f818

  • SHA256

    b017aad56c94286438c221c9891ea8715dcb571c398c321733075286af88c505

  • SHA512

    3b9ceb5d2b53d8a3d49571cdfa0d24763f0416cb0067aa9759dd5067c429c607eeef39273656b66667005e537aec558d33773f44a123797b34dd4c8216c64016

  • SSDEEP

    24576:tL4m66c5teDuutUNNQ/y4FLFr21Gk5haip3:VxetuOTg2jzb

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 18 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26295f8c317aee445771bb0f28ab3e0f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26295f8c317aee445771bb0f28ab3e0f_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\inxiaqxbm.exe
      C:\Windows\system32\inxiaqxbm.exe ZhuDongdelC:\Users\Admin\AppData\Local\Temp\26295f8c317aee445771bb0f28ab3e0f_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2664

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\259400396_lang.dll
          Filesize

          119KB

          MD5

          5e22e7c15e31f09f0293287d826ce4f6

          SHA1

          9debef127af3b931f3165aecff85dfa4cf536eb2

          SHA256

          e274e5d4112b5493ed6109855145e59be730ef9cd76fd76dbed8340748bb37ef

          SHA512

          cce73ccf8a96d7b5f16220a49eafd15ca06eb5de101104ee59d9ba0f61a66baa100fe71533aebc33cfa71a46fa457125a82f12c12965812af9d9e8471d8a1ddc

          Download Submit

        • \Windows\SysWOW64\inxiaqxbm.exe
          Filesize

          1.1MB

          MD5

          df3faebe8bd3af3d2aeab89a926720f3

          SHA1

          1b5e73fc1e40c86c2a0f96524aca96c7270d74b4

          SHA256

          efbbc4f7aa012e9670bea0f51b2677fd4ce70029aaf1f35e9d54c41b54c9e5c4

          SHA512

          0cbaaaa5af0d258ce458aed10dda348267fbaaedffb77a498f56cadba020c952d92ba2d5de81f2d9ad703be76f7a67e1c1f6e50fe9ffa8d6993aa35f0510e806

          Download Submit

        • memory/1644-8-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1644-0-0x0000000000401000-0x0000000000469000-memory.dmp

          Filesize

          416KB

          Download

        • memory/2664-24-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-27-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-22-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-23-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-13-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-25-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-26-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-21-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-28-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-29-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-30-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-31-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-32-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-33-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-34-0x0000000000400000-0x000000000056A000-memory.dmp

          Filesize

          1.4MB

          Download