Overview

overview

10

Static

static

3

4d86426eef...18.exe

windows7-x64

10

4d86426eef...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 08:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4d86426eefa40d9010883206279024ff_JaffaCakes118.exe

  • Size

    192KB

  • MD5

    4d86426eefa40d9010883206279024ff

  • SHA1

    3ee2dbabaaf64ca72b0a5fd567cb09d6b9bd44f0

  • SHA256

    fe7b1ebf5c307b19a17924657dbc14612fe218c75231a250879de34732e7ef55

  • SHA512

    c5a4e116baabbe0898d02befbb2ca444be9f8b2b2445b6f5173eb5e7716b07872c633e8f8b73316c5121365a29c013c9afa3837b7c97abe619b8c84cde3a4819

  • SSDEEP

    3072:OQk3DH+bK+snWjvUJfQA3f2CaxQpLlLOdnHmvJR8oIUqtY7Ovih0iT0g:OQkTH+bpsnWjvo/v2lQpUHmrlHp

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d86426eefa40d9010883206279024ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4d86426eefa40d9010883206279024ff_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2036
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2244
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2488
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2008
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k regsvc
    1⤵
      PID:2864

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \??\c:\windows\SysWOW64\qelxl.cc3
            Filesize

            21.1MB

            MD5

            b200af581eed47c2dffa4191482cc46c

            SHA1

            fe494eef6b7b76187f04a9955ecd6ba26c9d281a

            SHA256

            58091083768f793d4542aafe2b703359a917b4204dbbb129255a0f8103502206

            SHA512

            52853f331f46f9f16236636ab0a1801ef6e09583c6eccb1a13a8ac33c61842619a3900a1600cf106df27580dd7473f8897cbd14f18c51a0da7b1e1f1b8770717

            Download Submit