Overview

overview

10

Static

static

3

b987ed2106...18.exe

windows7-x64

3

b987ed2106...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe

  • Size

    53KB

  • MD5

    b987ed2106872f4561d7d2edb2eb5876

  • SHA1

    9e467466a772ba5c8134210526e0c261e6b0f707

  • SHA256

    81d464cbf3b574bfd33e3dc18644fa2946dc567654a6e83bfe23b78594bf78d7

  • SHA512

    47c233c2733556ac2b3f405d6f70546a5f3ae6d5fa8a193888bfda8b9b384d1f529887a620b8f4467d03c14a4b66069d636eb878730a5110a833dfc8826c0a5f

  • SSDEEP

    1536:obeMDyISB9r77bqTP43fN3JIJkmtuUJ+XGRHpiHg9:obNDsn7ek3fUJkAJ+XmH9

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Users\Admin\AppData\Local\Temp\b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe"
      2⤵
      • Drops file in Drivers directory
      • Server Software Component: Terminal Services DLL
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:756
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:1680
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8
    1⤵
      PID:2104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dll.tmp
      Filesize

      95KB

      MD5

      bb854876df80558aa96f3e9130f2b4c2

      SHA1

      eabc26498e33e5d16cfbdf3c84b4587f41697cc6

      SHA256

      594a815e23deb18b7e3955c818598c3a00f2499faf22f3f1b443d78be8202c4b

      SHA512

      124e9e29095b719f6dd6b3016e4b32b229359f288b370d99f2e97e424911b9f66e7002ab4a39dbc5ef05a60f16d8cc723037f925244b67bff96a7689d035979b

      Download Submit

    • C:\Windows\SysWOW64\install.tmp
      Filesize

      84B

      MD5

      b590f5980e75f9b48c29dc37ae319a72

      SHA1

      9588b6a4f2186c9bcb778e475792ee61a06a5266

      SHA256

      c2031ff63d6b8e6372c944fabe0150b80a764a4a95e900a001be83e7600e5aa1

      SHA512

      599ed02fe17f902295b5d467a3bd54ad8c2689db5f0936e6d6a47a101284e99443cbb777e099edcbf0191e369e6f7d2e282f2f9aeafedd22679954629866403e

      Download Submit

    • memory/756-1-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/756-4-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/756-7-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/756-8-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2852-0-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2852-5-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download