Overview

overview

10

Static

static

3

cf1b9798a3...18.exe

windows7-x64

10

cf1b9798a3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 08:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cf1b9798a3d1b6925d354247a27ab0cc_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    cf1b9798a3d1b6925d354247a27ab0cc

  • SHA1

    a8e2cc17f6ca26664612109dfef9fb6b2d2bb170

  • SHA256

    b2a8985ba1dfeda1d470a3170bd0823c436db7bb7825b84ce9e05150ceb5d8a1

  • SHA512

    c829b950a9d057bc55afb99eeb8978c8aea8bde06b4c12d934bfc74678133e63fa5eb049ee1997aff1f076a4131d567208d6ae8cbd5056266ec0d08efb496d44

  • SSDEEP

    1536:o0FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prK++VM4LxIf:oGS4jHS8q/3nTzePCwNUh4E9KnxIf

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf1b9798a3d1b6925d354247a27ab0cc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf1b9798a3d1b6925d354247a27ab0cc_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1808
    • \??\c:\users\admin\appdata\local\fybvhgrdpl
      "C:\Users\Admin\AppData\Local\Temp\cf1b9798a3d1b6925d354247a27ab0cc_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\cf1b9798a3d1b6925d354247a27ab0cc_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3908
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 784
      2⤵
      • Program crash
      PID:4980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3136 -ip 3136
    1⤵
      PID:4896
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 748
        2⤵
        • Program crash
        PID:652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3176 -ip 3176
      1⤵
        PID:1604
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 928
          2⤵
          • Program crash
          PID:4436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1256 -ip 1256
        1⤵
          PID:4640

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\fybvhgrdpl
                Filesize

                21.4MB

                MD5

                29b8bd9efd07561f123c05fc640408c5

                SHA1

                65b96f1b1beb50c9f1a431e9e1faece3be9a159b

                SHA256

                70276bb2b1c63373d69948a7d3a39f975d37b4cd6557868f5adb00ce6f1f3a85

                SHA512

                90bab4121db1e9873a83637aeeb0a48299eb6e2b5f370bf54942a3070fcef3e3a0896ada8c79a7a91ee333ed70252d5b26054dbcd530d13949a315d9de5504cc

                Download Submit

              • C:\Windows\SysWOW64\svchost.exe.txt
                Filesize

                200B

                MD5

                1d215215559b42988dd5424637d025b6

                SHA1

                cdae50f00f18e4f15033fcb9b1827645e8d1e634

                SHA256

                39b16145103c15694ef2a4d066fef979915e1ab27094fb49ff210e3d71f70d2f

                SHA512

                e867080672c1d20ea017f1bcd2dc7d84143aa3a07f675203cc48a81b3e2398538108d67cf54ed8aa70eb791d20ee4d1ed8ecbe679289428b1786fcaa5f213b3f

                Download Submit

              • C:\Windows\SysWOW64\svchost.exe.txt
                Filesize

                300B

                MD5

                637a0431b14a9de5bf2faff3d8cc0ab4

                SHA1

                a4f013dfcfb5948e694241a399772a67102c5ee1

                SHA256

                32000be9cc579f034cda7b88d96e3097ae1d9e4003532d24ef9bc00daa1dc43b

                SHA512

                9a64f62d23053c05346210923adf821244759b3dabae4dbfc2db01708ce0a3b4a952e29a2eb482e9aa7db2963d94c97cde3d97a17d970123d75926555ab614cb

                Download Submit

              • \??\c:\programdata\application data\storm\update\%sessionname%\robwi.cc3
                Filesize

                23.1MB

                MD5

                e79103601734866b0c0ce0a8bbd5b951

                SHA1

                1527d0af50e79a870af25758a60e29518c5f904d

                SHA256

                453c2bb8d1ce4e0c95597cd81543c324f833a0cc10842a0bf33d12ac3294daf5

                SHA512

                dc229a371de5eea69fd95d265da6cd42923d67f7aad511499a9d7747f4ff6db6fc8a871fc3e5ec11aac7c061b2aea509c5dadfaeefb16fc6fafebf19377d1af4

                Download Submit

              • memory/1256-30-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

                Download

              • memory/1256-27-0x00000000013F0000-0x00000000013F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1808-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1808-11-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

                Download

              • memory/1808-0-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

                Download

              • memory/3136-18-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3136-20-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3176-25-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

                Download

              • memory/3176-22-0x0000000001D90000-0x0000000001D91000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3908-17-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

                Download

              • memory/3908-7-0x0000000000400000-0x000000000044E2D4-memory.dmp

                Filesize

                312KB

                Download

              • memory/3908-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

                Download