Overview

overview

10

Static

static

10

2ad6d37a4f...18.exe

windows7-x64

10

2ad6d37a4f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ad6d37a4fe8e0c7943e821a4b622c77_JaffaCakes118.exe

  • Size

    118KB

  • MD5

    2ad6d37a4fe8e0c7943e821a4b622c77

  • SHA1

    1f17cbc8ce848c2538bbe274458e90b960d1932b

  • SHA256

    796ff78e28891298914f6f3cf382d99cf7f54056b5c652d432b16db8a404fd3e

  • SHA512

    86ca85c2f87ca6837cd51689eb1157ca5ece3e8f2440a3d18a3e7a97a3754176e1dff4ff8f0853a70536815beb6d1c24ce32b54c929fb6885319f23c8211dc90

  • SSDEEP

    3072:QLRHGaTZglHt/jaCagLN5PcC6QKHzc1AWUtWqLLf9m:uRHGatg5t7uwKT1tZffo

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ad6d37a4fe8e0c7943e821a4b622c77_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ad6d37a4fe8e0c7943e821a4b622c77_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im ZhuDongFangYu.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\MyInformations.ini
    Filesize

    352B

    MD5

    3741d6bc3349833df6a0228790693a05

    SHA1

    b6397afa0d3a584afcbfabc55cfa59ff1b623b92

    SHA256

    fd1df8e50a5aeeda0d86464d7977f05f80d0f987248037f4634416b7d59477de

    SHA512

    51ef2ed242e0a9b4970805cd23a9bb4b76c794447f737ddb4aafcb8e687cd6605896ef84c5448eda77b9c3503fb94a8aff665c49afc6e3f071c79a1fdd4a3a45

    Download Submit

  • \ProgramFiles\nod32.dll
    Filesize

    103KB

    MD5

    1b126df78170a8daab2f55ddd59c77e0

    SHA1

    2c2211566c68cd04f99da2fe65e24cb1134b9778

    SHA256

    562d2db8d0aabc63392cb388d32be0d85b3604495371d17e20c5e66a57bc8b8d

    SHA512

    172ada5938022f3162db51e825664e50f3abfcb3deaa855f5d7bd491f956fa3faf94398c1badc3268a95327e9f4b6766328c9407cc7edaa264158c0f64b85368

    Download Submit

  • memory/1744-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1744-21-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3028-23-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3028-24-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

    Download