Overview

overview

10

Static

static

3

2a79e41003...18.exe

windows7-x64

10

2a79e41003...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe

  • Size

    234KB

  • MD5

    2a79e41003bd0be1b9c05478d701b6e0

  • SHA1

    1c16edc78c6e535cdf0e4e44ac6e45453949eacf

  • SHA256

    1dc6a4e5fabf3ae648d3f7f4e58bb45c584b59fd4a0323de02e59765114c6d9c

  • SHA512

    d0b5c37d75cdfdd95bc3e1695ecd56cf346f5c2eb51d505d47b49425bdbc2ec7ff7a78acad25be9591f73a8ba55935fe2ba07215563c73ff9a40d49946671095

  • SSDEEP

    3072:WpTBizAiqdhoCylcf76jFLm5qfuMq8Z+FqXs8cDNqR/nu5/ABslHk:WpVSqdwFq5qmM+F1rDYnQ/Ab

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c rundll32.exe C:\Windows\linkinfo.dll hi
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Windows\linkinfo.dll hi
          4⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious behavior: GetForegroundWindowSpam
          PID:4168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\linkinfo.dll
    Filesize

    119KB

    MD5

    4b0142479deed1971340aa9a30a4f440

    SHA1

    c6664a423710289805f935798b2ac232d7d0caba

    SHA256

    6486435e19bcb0054eed429d20e441a889ac0a02bd12e3ba17eea2cee485d78b

    SHA512

    74a72a726f2b625342c3d55579050bc1938cc866ea629f71cf293e0648d1a4e43af4f623ec96f93eba86efca216e37ab3f5211e015e45101372f811663db8f1d

    Download Submit

  • memory/2816-3-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3492-0-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3492-7-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4168-6-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4168-8-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4168-11-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download