Overview

overview

10

Static

static

3

10121be5c5...18.exe

windows7-x64

10

10121be5c5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10121be5c5d39c501133b556ec1a3430_JaffaCakes118.exe

  • Size

    91KB

  • MD5

    10121be5c5d39c501133b556ec1a3430

  • SHA1

    47aacb5af5c6b5f02c7149abaf475b0042b5fa6d

  • SHA256

    42eb14ce7b526d9b721db986c5455fe383e83db488698a22d451c8a6fde45db0

  • SHA512

    9a871936b75dc77fcde3e0098ffe2af324bc9cc273b45d1199ed2c0b3e92476043e521379cea50fd5425c4ca6eaf97364b78b51f2b322eb4c5b7e44b088dd4a8

  • SSDEEP

    1536:F60hzjzldHhKgWuYQdFYXtL6af4wGTMLRQ+jmVZvuLJM85YjNd3daTF62xqE42Na:F605zVKCiXoaf4wfy+QxuNM85mdG62x4

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Service Discovery 1 TTPs 2 IoCs

    Adversaries may try to gather information about registered local system services.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10121be5c5d39c501133b556ec1a3430_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\10121be5c5d39c501133b556ec1a3430_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\net.exe
      net start "Task Scheduler"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Service Discovery
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start "Task Scheduler"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Service Discovery
        PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2896-1-0x0000000000620000-0x000000000066C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2896-5-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-4-0x0000000000620000-0x000000000066C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2896-3-0x0000000000620000-0x000000000066C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2896-6-0x0000000000620000-0x000000000066C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2896-2-0x0000000000620000-0x000000000066C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2896-10-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-11-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download