Overview

overview

10

Static

static

10

668977ea8a...18.exe

windows7-x64

10

668977ea8a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    668977ea8ab852c01936636d55a8e7e8_JaffaCakes118.exe

  • Size

    112KB

  • MD5

    668977ea8ab852c01936636d55a8e7e8

  • SHA1

    f61bc0c2beb47a715c949cd3e46dd4609267862d

  • SHA256

    9e513960a169aad7b17bc9181649a43ee439857edd4f0e8cf09685bdf3cf67ec

  • SHA512

    1511a2a80f4a3e925ea54cb51671a1a8a00f69686df5ab790cafd321979778c14a8df22420b6d691ebf50c24eb27a60cf994f3716f249db5ebc22a7d82de70ad

  • SSDEEP

    1536:vqEA70HzLJksPEOajozLElnqiO2cdJ/tHi:vXTLJkQ7zAV3+tC

Score
10/10
gh0stratrunningratdiscoverypersistencerat

Malware Config

Extracted

Family

gh0strat

C2

p.f2pool.info

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Creates a Windows Service
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\668977ea8ab852c01936636d55a8e7e8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\668977ea8ab852c01936636d55a8e7e8_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\668977ea8ab852c01936636d55a8e7e8_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:320
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "serivces"
    1⤵
      PID:2164
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "serivces"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\serivces.exe
        C:\Windows\system32\serivces.exe "c:\windows\system32\240632671.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\240632671.dll
      Filesize

      37KB

      MD5

      6dd8cd3d4fb23b363dcc120b02b00101

      SHA1

      0bd8b5c0e4fe3f7df123962bcbbc07783d01f102

      SHA256

      253e3df8eb4dd07d3262a3df9703e21d74fcdb14aaba04fdf5ddd55049cfcc4a

      SHA512

      aa863d40a9fb8b65027bfab20bf26956e1c07dd128507d17a4e41b2101bf4a546d3830d0d0b9c5bdd08c50911d9771e3f65cb33d6d6fdf30d754faf048a73a04

      Download Submit

    • C:\Windows\SysWOW64\serivces.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit