Overview

overview

10

Static

static

10

3a783b67cb...18.exe

windows7-x64

10

3a783b67cb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a783b67cb6a17b443ee9820946dda26_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    3a783b67cb6a17b443ee9820946dda26

  • SHA1

    2b714568d9b5b81d3f77be134983d7c5f06a345c

  • SHA256

    408632ad84bc391103e20efc4e790c0a38e8f8631c438148fa52ad9a2727fcbb

  • SHA512

    125b34a2ac981bae64e06f968c4d87e2e2130a4ab6cce52ce4cddf9fbbecf252fbbc197003fc8abeeae5517d5488a3446c724b7cfc4f171873e5b1ec9a9145da

  • SSDEEP

    3072:7eJB5WpPCMtzFCi9k2ttBB0NoYu/kvi3WZg:7eL5BM1si9kQfSNt+ka0

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a783b67cb6a17b443ee9820946dda26_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a783b67cb6a17b443ee9820946dda26_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3040
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1987500.dll
    Filesize

    114KB

    MD5

    30c4d7a7cca3b8be32741bc8e8a955e9

    SHA1

    b701502f528bef3fa0216ae68acefc5f35159d53

    SHA256

    07acdef1b143098de6b02045c83821bc349e19093a3e187f029d6076d88d2d5c

    SHA512

    e63c525093099793e60c231e7125e36cd0c8c3dd239d1f88d3171a5f3b3e55eed5fdff1b51080b10ee273475189e2c69ae66193a03013fad84d140ff19928b04

    Download Submit

  • C:\Program Files (x86)\Rnop\Wnopqrstu.gif
    Filesize

    16.5MB

    MD5

    fedb9e7972cd71e7f024ed3bfb7c4cbd

    SHA1

    33a538a249d58e12b07b8a54c4fcac2f078305d1

    SHA256

    947f799d35d7c22306b02b8d9780e602b80a9313790fd0dac851f0d7a0d772c2

    SHA512

    6184420df40a39b51c532148f766abf3967a9c179faa245fb94fdc920d49ce8e6309e5273d82b4cfd897cbe78e34d6e90614d1d72546b0404868730de1ac5a0d

    Download Submit

  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    2d16bc4feae459a58f0e15ea169646b6

    SHA1

    5a14d69f7f2c9a03eb074b08bacc783a7eb8e411

    SHA256

    9cae11aa018951483f34cedff9326fec9ce6091223cc717c250ae2125bf7a5f3

    SHA512

    5c73b42f1d12b7324e52d1f48f3210aa2b68251959025aac5a717ce129b4707355e53d877b54cd8d36abb0779daa37c373f5be2e14d1da3150d197213ebe9cb7

    Download Submit

  • memory/3040-9-0x0000000010000000-0x0000000010029000-memory.dmp

    Filesize

    164KB

    Download