Overview

overview

10

Static

static

3

deaae6b8a7...18.exe

windows7-x64

10

deaae6b8a7...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    deaae6b8a7776b5da6631babf51d1bc3_JaffaCakes118

  • Size

    95KB

  • Sample

    240913-w7ef6a1gpr

  • MD5

    deaae6b8a7776b5da6631babf51d1bc3

  • SHA1

    cf3e5cfbb7168c5143df9d210f4349666921d41b

  • SHA256

    84c4908a5e682556827c762d4deba3fa0e29633963f451d212664b6b862aea80

  • SHA512

    2271b60dd3a9c94aa0ab263d5dc439b05151f1e4e5e161cf1eab0e5bc82ed1f4e72e9f022564bd724606c3db2b24cbc5986c8b96f3755007b9945575ca279f05

  • SSDEEP

    1536:RdFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prVC9j2tBERycS:RjS4jHS8q/3nTzePCwNUh4E949S7IPS

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      deaae6b8a7776b5da6631babf51d1bc3_JaffaCakes118

    • Size

      95KB

    • MD5

      deaae6b8a7776b5da6631babf51d1bc3

    • SHA1

      cf3e5cfbb7168c5143df9d210f4349666921d41b

    • SHA256

      84c4908a5e682556827c762d4deba3fa0e29633963f451d212664b6b862aea80

    • SHA512

      2271b60dd3a9c94aa0ab263d5dc439b05151f1e4e5e161cf1eab0e5bc82ed1f4e72e9f022564bd724606c3db2b24cbc5986c8b96f3755007b9945575ca279f05

    • SSDEEP

      1536:RdFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prVC9j2tBERycS:RjS4jHS8q/3nTzePCwNUh4E949S7IPS

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks