Overview

overview

10

Static

static

10

3a783b67cb...18.exe

windows7-x64

10

3a783b67cb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a783b67cb6a17b443ee9820946dda26_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    3a783b67cb6a17b443ee9820946dda26

  • SHA1

    2b714568d9b5b81d3f77be134983d7c5f06a345c

  • SHA256

    408632ad84bc391103e20efc4e790c0a38e8f8631c438148fa52ad9a2727fcbb

  • SHA512

    125b34a2ac981bae64e06f968c4d87e2e2130a4ab6cce52ce4cddf9fbbecf252fbbc197003fc8abeeae5517d5488a3446c724b7cfc4f171873e5b1ec9a9145da

  • SSDEEP

    3072:7eJB5WpPCMtzFCi9k2ttBB0NoYu/kvi3WZg:7eL5BM1si9kQfSNt+ka0

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a783b67cb6a17b443ee9820946dda26_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a783b67cb6a17b443ee9820946dda26_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3896
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2454300.dll
    Filesize

    114KB

    MD5

    30c4d7a7cca3b8be32741bc8e8a955e9

    SHA1

    b701502f528bef3fa0216ae68acefc5f35159d53

    SHA256

    07acdef1b143098de6b02045c83821bc349e19093a3e187f029d6076d88d2d5c

    SHA512

    e63c525093099793e60c231e7125e36cd0c8c3dd239d1f88d3171a5f3b3e55eed5fdff1b51080b10ee273475189e2c69ae66193a03013fad84d140ff19928b04

    Download Submit

  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    5f3d7a288a2f0faa5bfcf8bf07379492

    SHA1

    c116b383cfadafb8be0da1a02108a523465020b1

    SHA256

    99fbf5d736d89fe15ec187fc8aa03d42be4522e053ea5e6e7c4074559ec32d5a

    SHA512

    690b85542380d8be9d33a3e0189ee7ae154a2e6fa604a825bbf3f662ed3a1e943bc2905b7bc13d2360809698943dd7e3df6f01f06c411698f1179ea31b1d4de6

    Download Submit

  • \??\c:\program files (x86)\rnop\wnopqrstu.gif
    Filesize

    10.2MB

    MD5

    ad92e233f2363263722dec0526ecb39b

    SHA1

    4fe85bcf99c5b33f8c197578df7eb3469a236de7

    SHA256

    95a955d94780eaed5919524a346414507fdfbf69e6d1f5bafd369c281dbfa147

    SHA512

    cc9d98d6667977aebce27a3ecb95612187318b4f853f91ccc9e032e9761d59ecd63e97a2ce52edf773f05ed1c09e8659af18c47dfc20668926be2566efc17ff4

    Download Submit