Overview

overview

10

Static

static

3

be6422ed2b...18.exe

windows7-x64

10

be6422ed2b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be6422ed2b47bc6e81d6146f0d977ba6_JaffaCakes118.exe

  • Size

    235KB

  • MD5

    be6422ed2b47bc6e81d6146f0d977ba6

  • SHA1

    edbcb29d34cad42bb0e255ab7e753ad33a46b694

  • SHA256

    1033ddb3daf9b0de8d844d8fd9909142156100cecf8ead6d26a19d49e3c48823

  • SHA512

    9cd0e1062ef876d45cf1a5f97973e11d8b8a14122e49e288983e604f00606b59a6823d242a7e19e61a43b8557331fdbc489983c38b7ed2025d58024ed5c53716

  • SSDEEP

    6144:LiOdmVPmM46lcDoFlAUVtiawv/iQAQaytn86ZkRBowjXDK/:LiOd4cDoFltVfw3iRUrknowjTM

Score
10/10
gh0stratbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be6422ed2b47bc6e81d6146f0d977ba6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\be6422ed2b47bc6e81d6146f0d977ba6_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\ki182E6.tmp
        C:\Users\Admin\AppData\Local\Temp\ki182E6.tmp
        3⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ins8834.tmp.msi" /quiet
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Users\Admin\AppData\Local\Temp\inl8B22.tmp
        C:\Users\Admin\AppData\Local\Temp\inl8B22.tmp cdf1912.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8B22.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2152
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BE6422~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:572
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2852
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89A84686F1C147C0C7527DD0B2E94356
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
    Filesize

    766B

    MD5

    b69d002455f1a5a100e717a6a84ff991

    SHA1

    3a99b22845afb2132300095d84534e65823e678d

    SHA256

    c05465e73465c2d6addc7514ad50b517675ce26bfb1a4cad3d3b64b617940934

    SHA512

    1f2e36f1e8c6f66ba746a3450a9f5c07f300bff4682e32344541596b0bdae7e3f443f3e25deaa7936195c48642f9268e3a626a4018772417ce48d26e4f9d1505

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    57B

    MD5

    f30e74732a169c1ae0e2d857c887fe42

    SHA1

    62ce0e7f4d66cec97134b1fd467e0c0877821b28

    SHA256

    7b4adab718d8d160b024ed0836c2f4f6568787212760e165e6ed61b6dc88c5de

    SHA512

    3937958f23b9063b1a74970929c15a312312c13e0842968f88d5b95952e679bafda6a70baeae7017d847922e14ba24260dfe5fd85f09221b09ff0cde3f68f096

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat
    Filesize

    45B

    MD5

    7f36c1f0e3aaf2144e83bb22a9d3ac76

    SHA1

    3a4cdfbe8d62798715e15b1c3351685368d800d2

    SHA256

    c7191eec3fcf3f160e1cb4477c1cd31bc89b86ec6142aa782bf41d80790dd9b5

    SHA512

    092c2856da1b3b9903b565adde9ffa227ab3a05a7e53b5a2cbe5f5c078b360acc1031c8530b3783368f23e41923c7d1deb269968c8f6e0263f17cd3791526a66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
    Filesize

    98B

    MD5

    8663de6fce9208b795dc913d1a6a3f5b

    SHA1

    882193f208cf012eaf22eeaa4fef3b67e7c67c15

    SHA256

    2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

    SHA512

    9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

    Download Submit

  • C:\Windows\Installer\MSI9119.tmp
    Filesize

    48KB

    MD5

    9067aad412defc0d2888479609041392

    SHA1

    36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

    SHA256

    99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

    SHA512

    e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
    Filesize

    425B

    MD5

    da68bc3b7c3525670a04366bc55629f5

    SHA1

    15fda47ecfead7db8f7aee6ca7570138ba7f1b71

    SHA256

    73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

    SHA512

    6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

    Download Submit

  • \??\c:\windows\SysWOW64\6ovudn.dll
    Filesize

    48.1MB

    MD5

    a109796ac48112567f566202309d4a1c

    SHA1

    6ebad2d126fe18940de6a95cd5d6097ec8a90d33

    SHA256

    edad427c1de64ddbc73767de42311948de7e5472cbfaba1f8d68a5f169bf62d7

    SHA512

    89902bdc4d1d479e61076f9b56176407af508a79ce9ace3aa18da2ca8476dd254ebc8dbd683f4a680a37848a44c26ba808fcbae38b052e6981a8d5952cbca42f

    Download Submit

  • memory/544-93-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2596-0-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2596-7-0x00000000039B0000-0x00000000039C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-53-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-52-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2796-17-0x0000000023560000-0x0000000023596000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2796-20-0x0000000023560000-0x0000000023596000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2852-58-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2852-92-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-99-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2924-54-0x0000000023560000-0x0000000023595BE0-memory.dmp

    Filesize

    214KB

    Download

  • memory/2924-21-0x0000000023560000-0x0000000023595BE0-memory.dmp

    Filesize

    214KB

    Download