Overview

overview

10

Static

static

3

39fb451540...18.exe

windows7-x64

10

39fb451540...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 16:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe

  • Size

    91KB

  • MD5

    39fb4515406c2ad135907422e9a8d4c2

  • SHA1

    26b5dfd29c1eb2d94fdeb16be56a1f406411b613

  • SHA256

    c11a68bb59e1ce8c3eb405811057f31fdcb5df5ad0afe691ad320dff6af75194

  • SHA512

    7d18e2797d8214bb7119800809836b5a7c57cec0fe8cf780621fc128b7b1b5d906349ec1978fb8da966195ff238c20760e2d20ac27123e1deddf8e742e6474b6

  • SSDEEP

    1536:FRicmlkKXvbMOQa/62KDK+H7NVR1jwU/k+plcFzhjoeE+y2h+DBl48xgRYc15IKr:FscmlPbt/657NVR1jpuzCeE+Jh+du8Gz

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\39fb4515406c2ad135907422e9a8d4c2_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2548
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:1032
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2416
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2424
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k regsvc
    1⤵
      PID:2808

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \??\c:\windows\SysWOW64\%sessionname%\gpywf.pic
            Filesize

            20.0MB

            MD5

            3a8692ab511daabfcbf59ef2d22be61c

            SHA1

            542b6ddd4cfd7def2cb8a75a7816dc83565ede75

            SHA256

            4f85cf0fa2bb940c23facc74da726f9888ae3048fff803492e0faa88ea73cf04

            SHA512

            c09e95e32eb6ea0bd0050187680bea65fd1833b2decac974f1608abd7591ce68123c7f7d9c7389509189a157f9a51a449578a638f9f091b89e18c8b2ee3f4088

            Download Submit

          • memory/2548-0-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

            Download

          • memory/2548-2-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

            Download

          • memory/2548-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2548-10-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

            Download