Overview

overview

10

Static

static

10

cf37ffab44...18.exe

windows7-x64

10

cf37ffab44...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf37ffab44706b9867d07b657baac8c3_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    cf37ffab44706b9867d07b657baac8c3

  • SHA1

    955b23f6a118af6e626bf513aee81075f74ce670

  • SHA256

    b27542815fbe35182e1673815da440653541b7ec2f5b4aa88978c6cba50533ef

  • SHA512

    c86e04148ca8537472e2552b77aa6c93ee9a9b4c40b4611c0384f784c23f4768af860411c82deb250722dce32977ae1c0fcf53c46afa592a921831d7dab1a84a

  • SSDEEP

    3072:V1gTGB+Iry8uIqnYCGlrKttHkoIIuZkfibqCHg:V1gapW8HqElwKodkkqbL

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf37ffab44706b9867d07b657baac8c3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf37ffab44706b9867d07b657baac8c3_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2604
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1297100.dll
    Filesize

    112KB

    MD5

    b4e290933262298d4c937875ac25e0ee

    SHA1

    1aa709eb23d7da521651b44e76f40a744df8eac0

    SHA256

    3492cb869f3a5a0275e117e707ed0389be2bb7a4ee655343faa7d5ce0922ffe9

    SHA512

    8d649a038df6db0663444c8831c5913316eae501cd6b693bc408556fc10253c3c309755013a527b42ab4a0b22bfdf6587d317e78f747a272ea1bc2fd1165059d

    Download Submit

  • C:\Program Files (x86)\Oklm\Tklmnopqr.jpg
    Filesize

    8.2MB

    MD5

    6f5f47e1b6de041074d608bc867736aa

    SHA1

    dc735042b0b138dd4a943fb3db8c42f70aa058ce

    SHA256

    f61034fea7806a680a6d8688a5cb8d98a21209181b4f9e9e0b52eee38c1e20b7

    SHA512

    411a5d04118208737be8c4b8a533ce0e0a34438379687c462e7a1c9f49e808a9053c74d80cead15c0fcd2e752ab0a070153a592d793592d8f032da1a5738eba5

    Download Submit

  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    ea82e9381bfea7f4d50c7b729ff243a3

    SHA1

    5034a753be86f4ededf7879be9b5a31dc3ddb1f2

    SHA256

    383b93758240a09cddfaf015cd461485c64ceeda0ede9cfe27b5862e2f3b5656

    SHA512

    b189f56d84925f7ab1d9df6378f699dc1bab7be1f33ffdfc7f35e49d2059ec62496b1cff0a27ec5007fc3bae84b8fd75f02a681bee95d9d0837d333791adfb6c

    Download Submit

  • memory/2604-9-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download