Analysis

  • max time kernel
    139s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 23:11

General

  • Target

    4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe

  • Size

    95KB

  • MD5

    4a6ee7aa6ca06a659c4ff203a49aaee1

  • SHA1

    8c7ccb9bb38e677dff882f2215550221c42c42b3

  • SHA256

    fb96749e82468a71f853f561482faac7201aed43021ce97f6dcdd6a6e5b4e9ee

  • SHA512

    c94053b3952016f4fd1c4195641ef7c6ccf34f266ae1df516a7d765bbd48433a726f1d2bca41fc88f0ad502b54e0afa89be4cb7042222d42e0246229146a514b

  • SSDEEP

    1536:NPFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr4KobKbCkun6fQ:NZS4jHS8q/3nTzePCwNUh4E9toyCku6I

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • \??\c:\users\admin\appdata\local\keidcgotgx
      "C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\4a6ee7aa6ca06a659c4ff203a49aaee1_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1060
      2⤵
      • Program crash
      PID:1012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1324 -ip 1324
    1⤵
      PID:4576
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 920
        2⤵
        • Program crash
        PID:64
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1532 -ip 1532
      1⤵
        PID:1432
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 872
          2⤵
          • Program crash
          PID:2184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 4936
        1⤵
          PID:1664

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                206B

                MD5

                001716964717315f80ccef7d40dc711e

                SHA1

                ca321b2af04b2c682ef097d0593e45e28c8ecf25

                SHA256

                97184e87435d9de480111c3127671f4e267cadaef96d033ea1cd6c7276b0fa09

                SHA512

                fb0e0a59a68fee371b1476c8ac206523451c54d4d72a1175a6e7dc5f5963fcee1429a9091feea1e63c3dd3fb07bb2aa9666ba9cbda20da2fb4f31f7a8e5c5a08

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                309B

                MD5

                d2b54ce0bd5ee98c4926aafee7d1be76

                SHA1

                dfbfe1990c5bfa97a2c141a35a083c97477ca6e1

                SHA256

                20332f0815ef2a968154076b3ec5357ba10bc814a256d0a35c6008e70c0bf424

                SHA512

                ba05839b2c10e99d2e17de7c307bb28229857323bdcbe7daf277b1c0d50762db3d25d759a14106fabf61f3678e8acb483e1c5e53f3e3aae4cbd8632489047782

              • \??\c:\programdata\application data\storm\update\%sessionname%\vjfig.cc3

                Filesize

                19.0MB

                MD5

                129cca7c2b978b6b3038b13f20055f85

                SHA1

                90839572dcd475fea5ae074b6c96c47695e856e8

                SHA256

                ac81f6bf834f3acd493350d94c251b5845ffd162794a58df07683a2c9264a092

                SHA512

                9eefc92053f3298f827e1d964601e753df28c9f955847603dbc484730f77e2f3a90baeb7761af682d043e8af1e6ea9952ed069294c42c5ce682239eab88bbba6

              • \??\c:\users\admin\appdata\local\keidcgotgx

                Filesize

                23.7MB

                MD5

                af9230ed7bcc824a2386f73b7ecea80b

                SHA1

                41ed7aa9944e6d5257854d0b6eb10560e71a37a9

                SHA256

                c85100def54e4d61dd8a4a2cd6a739c8c539cf16a7c2a6e9d4c5158d98af2aa4

                SHA512

                463c86b4e8e990a3b4a94a948570a336767d1270d68a786c58c6ff020b1061bdcde3843264b1957c5a0a3043fefeb65677db3348aa7f32fa2074333e1b739d72

              • memory/1236-11-0x0000000000400000-0x000000000044E5F0-memory.dmp

                Filesize

                313KB

              • memory/1236-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

              • memory/1236-16-0x0000000000400000-0x000000000044E5F0-memory.dmp

                Filesize

                313KB

              • memory/1324-17-0x00000000017F0000-0x00000000017F1000-memory.dmp

                Filesize

                4KB

              • memory/1324-19-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/1532-21-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

                Filesize

                4KB

              • memory/1532-24-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/2236-0-0x0000000000400000-0x000000000044E5F0-memory.dmp

                Filesize

                313KB

              • memory/2236-7-0x0000000000400000-0x000000000044E5F0-memory.dmp

                Filesize

                313KB

              • memory/2236-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

              • memory/4936-29-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB