Overview

overview

10

Static

static

10

adb4ba7bef...18.dll

windows7-x64

10

adb4ba7bef...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 03:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    adb4ba7bef53b6ea3d1a296bb7455713_JaffaCakes118.dll

  • Size

    334KB

  • MD5

    adb4ba7bef53b6ea3d1a296bb7455713

  • SHA1

    f8b0ec8fe482fe0b15f2c97fd99de150de49ebce

  • SHA256

    22b72547473feba04c2528bc80be5d525fefda0b1709d56a289334bc2d929a28

  • SHA512

    c12228f8153e68dab83434eb9fac666c9398af4848be12f21150d067d5625b8061d49e7a213d70c14e14d4a48f55308f6984ede5d00a3290e4ea7a2a85f8ac5e

  • SSDEEP

    3072:P/a5Bd2SmCVap6MvrJtv5OwhDkL5wCbFjzC3:E7muY9ltR9hDkdwCJ6

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb4ba7bef53b6ea3d1a296bb7455713_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb4ba7bef53b6ea3d1a296bb7455713_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4480
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4464,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
    1⤵
      PID:3928

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \??\c:\program files (x86)\fbcd\kbcdefghi.gif
            Filesize

            9.1MB

            MD5

            a5bf34e701b73ce095b3814ea5f6fdf8

            SHA1

            f506f50036501764ab912eb55f690e714af34dbd

            SHA256

            b42c69758a948adfe34f9b6d1a73d7a957210c16c61fe7ab0049ac1cf36e9dc4

            SHA512

            13c7dc83679b6c806e40340b560a16f1972626b957d119ba4cb47ca8406be55baa6915111f92fe9bb3618e2c5dad6d54897c92c1493c8310ffd70da38d2dc085

            Download Submit