Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 16:43

General

  • Target

    6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    6860e961f1f73b8e447e0f822302c1b4

  • SHA1

    d749498e18900c16eeab95b2eb45e7247c40b4a7

  • SHA256

    ad123861b9187aef26826170e978becf3bb4e4f3cc5d5e79ea21431b11ccb26d

  • SHA512

    08773468e7d095b0f2b8fd2ec3ed935b26a0becdb0b831b1a7a92250e284fa9b3d5ef02c185e0c64909000f2330522072c1465a480e71bad92791e20f605a963

  • SSDEEP

    3072:j7CaO7x8fC8t52oje+rKttHkoIIu6kfif20wNA:j7pON8ao6+wKodjkqfXC

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3048
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2266100.dll

    Filesize

    113KB

    MD5

    7a5449088bf5920fd891b438e6179889

    SHA1

    337c0a27eadc4b1a6f7949dfb6e181508a33daaa

    SHA256

    613b890500e680923769cd2dde4269562ac364bb949be166bf7cfb9a37941779

    SHA512

    6e0b04bc13986c0f82413922a0d3854f7d87308b8fab2fbe9422f8554076bc90628abc1f772cfa4003485c10c0789826339a091bf9fe3e2167dffdd87350ef3a

  • C:\Program Files (x86)\Bwxy\Gwxyabcde.gif

    Filesize

    11.3MB

    MD5

    12b4d966bb93b8479c5f2b7e340b9e5e

    SHA1

    6a6d559ed88c1f381ddee12c7dee439aa12b9b10

    SHA256

    2acd741c49f571425a163784f2f73d1784c01f23ff021749b3c7cbbc5697edca

    SHA512

    250b32b98675f008d1d0b1144369458ab5fd734e51968b709b16e320737d112ede0a8de668c9addad1563438f935f7585ae1f25d871b7b6938b0a76471aa1d8b

  • C:\WinWall32.gif

    Filesize

    99B

    MD5

    d5fa9711b3dc04b24e8ed23fda47b976

    SHA1

    33f06af1ee9d27ce74da4004c9a7375210a9837e

    SHA256

    da8161a2bf278a3de1f1207d40c2a87f9ddc33da6cda56866ee03a6c961b8d89

    SHA512

    0b7ab0e50daf0b2adaef5e1d729d80c91ca9038a70ebaebd042c8abb6a458631041e5e8eec104592af0f4171774a52ee5013036256abe4de3c0a18e9bc68c9b7

  • memory/3048-9-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB