Overview

overview

10

Static

static

10

e2550344fd...18.exe

windows7-x64

10

e2550344fd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2550344fd15408fb2d43a230f4c1ff7_JaffaCakes118.exe

  • Size

    113KB

  • MD5

    e2550344fd15408fb2d43a230f4c1ff7

  • SHA1

    bb8216ace49da4158166c8fe9e46be797f1bc609

  • SHA256

    dfc7d3a9a884304c3adca7d6118d08988319bb86289cbda42750485df97020e6

  • SHA512

    354b63d4c805e7fab427c9f06f22f0b5ec103a354b7738922e53c47fae2d8c121c686a0170a2e59d47888c2b4c6da7a4fbfba729246f8ae86c6eea0c68312456

  • SSDEEP

    1536:T/JHe0U26jOEg+yuq9ceVrfsGS50vCx3bodc6kEJCizUAJ:TxzKOEVfq9pV7sGSw/vkEJCEJ

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2550344fd15408fb2d43a230f4c1ff7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2550344fd15408fb2d43a230f4c1ff7_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3320
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Ksafetray.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\svchest.ini
    Filesize

    97B

    MD5

    5a7d6cf04073e01489fb3adec3a77b3c

    SHA1

    791b5c0d375286677cf57a6ee2d9bda9c214df62

    SHA256

    d8dc40b969bec9cf1498bff75da01c2f4d563fd5c0de7ce0d6f6f7a566cf551e

    SHA512

    7b4e92e8232a87fcc6c5f8ebc191d53bd99fc9d023b145d5c4c38b96c00c5f4cfad724c36a5402474f8d50490da87acb893bdd2363fa5cc045686cb4ff28b97b

    Download Submit

  • memory/4320-12-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download