Overview

overview

10

Static

static

10

6860e961f1...18.exe

windows7-x64

10

6860e961f1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    6860e961f1f73b8e447e0f822302c1b4

  • SHA1

    d749498e18900c16eeab95b2eb45e7247c40b4a7

  • SHA256

    ad123861b9187aef26826170e978becf3bb4e4f3cc5d5e79ea21431b11ccb26d

  • SHA512

    08773468e7d095b0f2b8fd2ec3ed935b26a0becdb0b831b1a7a92250e284fa9b3d5ef02c185e0c64909000f2330522072c1465a480e71bad92791e20f605a963

  • SSDEEP

    3072:j7CaO7x8fC8t52oje+rKttHkoIIu6kfif20wNA:j7pON8ao6+wKodjkqfXC

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6860e961f1f73b8e447e0f822302c1b4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4972
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\131700.dll
    Filesize

    113KB

    MD5

    7a5449088bf5920fd891b438e6179889

    SHA1

    337c0a27eadc4b1a6f7949dfb6e181508a33daaa

    SHA256

    613b890500e680923769cd2dde4269562ac364bb949be166bf7cfb9a37941779

    SHA512

    6e0b04bc13986c0f82413922a0d3854f7d87308b8fab2fbe9422f8554076bc90628abc1f772cfa4003485c10c0789826339a091bf9fe3e2167dffdd87350ef3a

    Download Submit

  • C:\WinWall32.gif
    Filesize

    98B

    MD5

    eee6a868acb51ae7b4c25bb6cc79f416

    SHA1

    b6dd33b3e1af4f3ca5a7742a7aa09f18c3a3813b

    SHA256

    26a954952faaafeee6e64bc458f92a7e4376d430d4438d8bd4c3b064af6636b1

    SHA512

    b987609875e9202a86ea7e50dde68beaada67941916fa88d864c148a13a7b53d3821a9e663da41081984e637e07d7570a73ce90d3f56a08de0ae0922ae57dc34

    Download Submit

  • \??\c:\program files (x86)\bwxy\gwxyabcde.gif
    Filesize

    3.4MB

    MD5

    6f578b70079d7c78c8ed2f2026d07cac

    SHA1

    ce4cd53286378e2daf4f50090c78abe831cc5864

    SHA256

    a0208b4432f53a136a3236ccc08b7ce1de3f129caf35bb8e89be21789c4c4fdf

    SHA512

    3f01c492e844283e4fccd3b1cafe8db3fb500cd49427a054c67dcec37af9ab6ab31ec6297acaaca0f2e25d4ebeed03b4a371cc03bfeb4a8d541783fae41c5939

    Download Submit