Overview

overview

10

Static

static

3

483ba25d2d...18.exe

windows7-x64

10

483ba25d2d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    483ba25d2dee6afb2e23ff4335bc0655_JaffaCakes118.exe

  • Size

    358KB

  • MD5

    483ba25d2dee6afb2e23ff4335bc0655

  • SHA1

    30f543d282d5952321775d268807cc2d398aab8b

  • SHA256

    6148ba2f6a941f7fb0b233d7616247d1501cc916c512593eec33443605f09f57

  • SHA512

    f131aeaa1ce2f30261ae3f03f78dfb3d517d47be3c17e7e17eba9c2e70d4b90badadfa731bf7814a8aaa7894b0c1b7e620696ec37c6403a0cf41666136d803ba

  • SSDEEP

    6144:druMZwgRf/pWUaO1u4nDWgRAkPVkGQn8xID0DMFFGsdPVgrKvzW0nUQz1:drucf/JDR3PVkGLxe0DuPyWva0x1

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\483ba25d2dee6afb2e23ff4335bc0655_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\483ba25d2dee6afb2e23ff4335bc0655_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:536
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\685800.dll
    Filesize

    133KB

    MD5

    c3c1f99946f7bed1c49520c7f356f6b4

    SHA1

    bacd9b5ac807a290ae935cfa06af8cbf3cad1d38

    SHA256

    1afde4bfb742a6a927053415e2aafab4603341aef0d2fb3d65e2ee12b4a204a6

    SHA512

    da735b3c82e224a7206620474e36ef74c2016951a584f48e62686a30e992fcbc52b456ccda0414738bc6056638600c4538722e99dc26fea88211c48932915b63

    Download Submit

  • C:\Program Files (x86)\Iefg\Nefghijkl.pic
    Filesize

    7.0MB

    MD5

    f63991daffb4363da8e1860b5eefdc10

    SHA1

    ca2e8596ae5caef23ff210519acf34c9edf6f0b6

    SHA256

    32d6ecd6cd331f026c50cfbddb01e5a6ae8f7a093d7efd31e5074a3133bc19a5

    SHA512

    2d89708a1f8e9beaa32460b8cc3a6669b7507dfb024baf358c72a01ab2ab067e54db247c7170d5fba26c586285b50da639bdfb84b9ab421c83ef57ebf30130c4

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    98B

    MD5

    3bd36bd049f1dd656e2d011055813c16

    SHA1

    9852ab62454b1eb114e582671dd436f1983c4eb8

    SHA256

    ea1792f80a8d46f76eed99e32dcf484357a37e0ccffd5dc97f66a04f8b32d8db

    SHA512

    5ce75eed4aea50a569d18c0d3c1b8d9fd5d0335b8ff09b71ab56e9c7182d5c0b7eb078cfd429001882384ea11d47348219ab54ecaf1b93e21a0549f3737c2f61

    Download Submit

  • memory/536-14-0x00000000004A0000-0x0000000000530000-memory.dmp

    Filesize

    576KB

    Download

  • memory/536-12-0x0000000002660000-0x000000000270C000-memory.dmp

    Filesize

    688KB

    Download

  • memory/536-3-0x0000000000300000-0x0000000000340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-2-0x0000000000300000-0x0000000000391000-memory.dmp

    Filesize

    580KB

    Download

  • memory/536-1-0x0000000000300000-0x0000000000391000-memory.dmp

    Filesize

    580KB

    Download

  • memory/536-10-0x0000000002300000-0x0000000002410000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/536-15-0x00000000025C0000-0x0000000002660000-memory.dmp

    Filesize

    640KB

    Download

  • memory/536-0-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/536-13-0x0000000002440000-0x0000000002540000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/536-4-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/536-11-0x0000000002710000-0x0000000002890000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/536-5-0x0000000000300000-0x0000000000340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-23-0x0000000000300000-0x0000000000340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/536-26-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/536-25-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/536-6-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download

  • memory/536-7-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

    Download