Overview

overview

10

Static

static

3

6f0fc8a80d...18.exe

windows7-x64

10

6f0fc8a80d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f0fc8a80dfd97b650a02c0b0ead60b9_JaffaCakes118.exe

  • Size

    192KB

  • MD5

    6f0fc8a80dfd97b650a02c0b0ead60b9

  • SHA1

    d654e296f3512b0deb4f10ca83ae67ed9028f415

  • SHA256

    996bb3b38dde333de4c5e92da3f5a459fdf76e431964205041141ea65b86d48a

  • SHA512

    9db721c55f079e6911e1208034a6b572878d4f1355f905a0c4f5b32eba60b39e6a63737cfb0db8d11e108ef595b901c1b6e46f77a7d499f6bce9f9a767b86905

  • SSDEEP

    3072:ZqFRwVCnWRcdPhLg8eqxWQq/gd6qSfe+y5LiZGXE73iHPZdQ+0K6KuCPPPPPn:aqVCnWRclhLGZsd6qSfe+y5LiMXciHP0

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f0fc8a80dfd97b650a02c0b0ead60b9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f0fc8a80dfd97b650a02c0b0ead60b9_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4492
    • \??\c:\users\admin\appdata\local\lcfxsrektq
      "C:\Users\Admin\AppData\Local\Temp\6f0fc8a80dfd97b650a02c0b0ead60b9_JaffaCakes118.exe"a -sc:\users\admin\appdata\local\temp\6f0fc8a80dfd97b650a02c0b0ead60b9_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1108
      2⤵
      • Program crash
      PID:840
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 932 -ip 932
    1⤵
      PID:1172
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:8
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1104
        2⤵
        • Program crash
        PID:2516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 8 -ip 8
      1⤵
        PID:2308
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:404
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 884
          2⤵
          • Program crash
          PID:1376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 404 -ip 404
        1⤵
          PID:944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\lcfxsrektq
          Filesize

          23.5MB

          MD5

          ddc4a35403e4e5808738b9814f378c4e

          SHA1

          1afe85f2f831cc2a6ca3916851ecc848b570c599

          SHA256

          23d4f20bde0913a5f4b48e90b27f95f74b33f34937208c699881920106babe95

          SHA512

          248993ba7b84f8b2dc76cb106941a0ca6152dc8cf6f00173ff6bc6259f06df059450247883478a7bec2b090840f9423fb28a5cfc42bfdf864e923f690e42bc38

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          202B

          MD5

          6272023783daa56e4ca0d9275acd20ad

          SHA1

          0d135a02b7fda2e4c50de6217157c210011b8b8b

          SHA256

          05d3b87ba3902fe6a839ab3c5370e60d3bc30e5b22ce34d575ede54fc261c4ff

          SHA512

          6176902d7d65904feb38065cf70d6dedb3cf911830f9a179c3baf952f2bf41d01401be29f7bd9d115276d81fc10672103f6d3bc1e435993e18e4c68aa29146bf

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          303B

          MD5

          d8bd75ec09524c0bbc22c7135663e77e

          SHA1

          ae95279b912f8fe79fe38a9069590c7e95fd862f

          SHA256

          905b8c1d07cab921fd5939f82872ef09da8db336b9619e042e9e51670f3463f3

          SHA512

          81e4fdb738360abbf2ef6137a012b4cc44e817da1b6aff0f8416238a6a9833d8079ec2aaabfbfa0b3509d4a050ffc5267b8323373fa6a11430ec49792d728871

          Download Submit

        • \??\c:\program files (x86)\%sessionname%\fsfdk.cc3
          Filesize

          21.0MB

          MD5

          6b1075163e3c0ec83717e4d79fb5be7e

          SHA1

          a66ae429fcb2376269d0e3304d9dd7963deef06c

          SHA256

          b8e2b7bd4f03da3ec7afb6eee72b08767e1d76f1ef46b452e678ada74b188214

          SHA512

          a510d90fadccc24ab9e4eacb8d6798b90ff54e20b2ade7039f870b035942d2ada92f2762c140bb63de740ff3eb61e39e3c4a941e4f575f7a98403cdc169d1cba

          Download Submit

        • memory/8-13-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/8-16-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/404-18-0x00000000016C0000-0x00000000016C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/404-21-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/932-9-0x0000000001F40000-0x0000000001F41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/932-11-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download