Overview

overview

10

Static

static

3

0853b4a9d1...18.exe

windows7-x64

10

0853b4a9d1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 01:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0853b4a9d1ce4b4be8931166cea7d19a_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    0853b4a9d1ce4b4be8931166cea7d19a

  • SHA1

    6e6795e4b02a05987f7140f73936527187296b8b

  • SHA256

    83890092d10bf068a0b7b0e947b15622c71f427e49f2ee1753085f830a28f14a

  • SHA512

    8b49595ebdce462b079a64de0622723060c233fe2f337af91a01d8b8c1443eb22fcc5bf027bdaaa4c5d46eba2d0ce0fec46604be9c319455adc79933e11409fe

  • SSDEEP

    1536:jNFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prRopHud:jzS4jHS8q/3nTzePCwNUh4E9qOd

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0853b4a9d1ce4b4be8931166cea7d19a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0853b4a9d1ce4b4be8931166cea7d19a_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4092
    • \??\c:\users\admin\appdata\local\loyljnyreq
      "C:\Users\Admin\AppData\Local\Temp\0853b4a9d1ce4b4be8931166cea7d19a_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0853b4a9d1ce4b4be8931166cea7d19a_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 820
      2⤵
      • Program crash
      PID:2744
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4920 -ip 4920
    1⤵
      PID:3528
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1104
        2⤵
        • Program crash
        PID:4664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4264 -ip 4264
      1⤵
        PID:3212
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1100
          2⤵
          • Program crash
          PID:2168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2688 -ip 2688
        1⤵
          PID:4924

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\loyljnyreq
                Filesize

                19.0MB

                MD5

                6cf0f15997ef47e63c3c99d7591fae88

                SHA1

                d5e7fdc577e43502ed4900d2bd791c03cc8e53c3

                SHA256

                1b4e0733d3203fd83222b0a589d446dbf4975a8c0f7531a276144eca488632d9

                SHA512

                86ce9af392f38846fd668d0ee55fbf40542cef3a8910cc03a725d8bb8b6ca82ddce7717f87217c65b87a416ed941a9129ddd5680adba02fb4f3ed391c923fd52

                Download Submit

              • C:\Windows\SysWOW64\svchost.exe.txt
                Filesize

                202B

                MD5

                4c509404286dca114d1f7e56a380326d

                SHA1

                7982ab26d960da0c3b8f1c7cbdc481adee390e8f

                SHA256

                847e299837ee2d6d374d927b47ee843050142f5693e7f332f0cf3a62d07a22e3

                SHA512

                051109b3a3ff762807195b4607a3dd3d1d39d39df354b7261706b32466bc278b28521fa8d328409982d85e58aaba4a8bb3ccdc7050f74f7b66863ed3fe7165d4

                Download Submit

              • C:\Windows\SysWOW64\svchost.exe.txt
                Filesize

                303B

                MD5

                50fb4aa01fdf29e155530ca941d91525

                SHA1

                02759c7816e1c3fd082d24c47d66cf7b9c0b98af

                SHA256

                03423eaf695d3c08b9f82f5dda4648fa94f1d502723e67cf79e064c96a947b83

                SHA512

                e21dcc3c6a5ffd84f09e5937ba43e9e6e6b1f761c76b1c5b0034ea1c07f51bc742aa5e664011be6065dc5e74495bfc5b8d2a4ddeba7147766dfc81cf189f31ed

                Download Submit

              • \??\c:\programdata\application data\storm\update\%sessionname%\ndyxn.cc3
                Filesize

                21.1MB

                MD5

                0a614c4a301c66303fb0975c0b68bdff

                SHA1

                b9444b5d7de3ed5aeee3c422c3ffcf7257076465

                SHA256

                2ee8b7529bb2a79f323abeaaf7dfb35528f2eaaa87e357f80c112e7380ff8466

                SHA512

                0227e08c1a1bfb4c2bbf4866fcf884e92a44a12ba842f6ec176e0191a483b82f578e79ecb1ba01bf183a7f89e5378866733a6ab6768bbb0ab8e8297aeee33b20

                Download Submit

              • memory/2016-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2016-7-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

                Download

              • memory/2016-17-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

                Download

              • memory/2688-30-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

                Download

              • memory/2688-27-0x0000000001900000-0x0000000001901000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4092-11-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

                Download

              • memory/4092-0-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

                Download

              • memory/4092-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4264-25-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

                Download

              • memory/4920-20-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

                Download

              • memory/4920-18-0x00000000019F0000-0x00000000019F1000-memory.dmp

                Filesize

                4KB

                Download