General

  • Target

    49f731d79a4b9e2e8c0578585649bede_JaffaCakes118

  • Size

    5.2MB

  • Sample

    241015-zq3zzawgnh

  • MD5

    49f731d79a4b9e2e8c0578585649bede

  • SHA1

    164e7cba8b539a71104fcc075467a4ed6236d153

  • SHA256

    2e02781a4a4eed3e8672dc87c3683da295532eebf4b02377b85a5697bc05c5c7

  • SHA512

    1c9d71e354e5547841796c7234047b97b41708e640b0179c376820d1fded5ce5702df43df051ef984c59970d65331601692e0473bb9908e74a97840f4053c13c

  • SSDEEP

    3072:IYCh0N1tT1BWHWVKhqvEzO/V1VrNYQkCA+HFSWvV3TBftZnob2S:PzjWHA9DNYtEHhvV3TBlZnobb

Malware Config

Targets

    • Target

      49f731d79a4b9e2e8c0578585649bede_JaffaCakes118

    • Size

      5.2MB

    • MD5

      49f731d79a4b9e2e8c0578585649bede

    • SHA1

      164e7cba8b539a71104fcc075467a4ed6236d153

    • SHA256

      2e02781a4a4eed3e8672dc87c3683da295532eebf4b02377b85a5697bc05c5c7

    • SHA512

      1c9d71e354e5547841796c7234047b97b41708e640b0179c376820d1fded5ce5702df43df051ef984c59970d65331601692e0473bb9908e74a97840f4053c13c

    • SSDEEP

      3072:IYCh0N1tT1BWHWVKhqvEzO/V1VrNYQkCA+HFSWvV3TBftZnob2S:PzjWHA9DNYtEHhvV3TBlZnobb

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks