Overview

overview

10

Static

static

1

06098ef227...18.exe

windows7-x64

10

06098ef227...18.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    06098ef227c8c5bdfa3912c9975833e7_JaffaCakes118

  • Size

    95KB

  • Sample

    241001-qyywjswejb

  • MD5

    06098ef227c8c5bdfa3912c9975833e7

  • SHA1

    b33296a148dc5edc660d6a58f96dd7563c68fac9

  • SHA256

    93af4209dfcb207fb1fbda79d2c6eeb6cea51ef181011113e5df3d480d52d57c

  • SHA512

    d8c8bef3eb933bf38ab858e8a29f74ae5889eed0fa06bfd0b8c326978aae9482495f0e3004772fc17a5a31ca1f0b71a6d0ca098f380071591c40ceced9ca34ee

  • SSDEEP

    1536:JYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prV9yEFSMXY:JKS4jHS8q/3nTzePCwNUh4E9LFSMXY

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      06098ef227c8c5bdfa3912c9975833e7_JaffaCakes118

    • Size

      95KB

    • MD5

      06098ef227c8c5bdfa3912c9975833e7

    • SHA1

      b33296a148dc5edc660d6a58f96dd7563c68fac9

    • SHA256

      93af4209dfcb207fb1fbda79d2c6eeb6cea51ef181011113e5df3d480d52d57c

    • SHA512

      d8c8bef3eb933bf38ab858e8a29f74ae5889eed0fa06bfd0b8c326978aae9482495f0e3004772fc17a5a31ca1f0b71a6d0ca098f380071591c40ceced9ca34ee

    • SSDEEP

      1536:JYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prV9yEFSMXY:JKS4jHS8q/3nTzePCwNUh4E9LFSMXY

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks