General

  • Target

    4b63895b56f6474707186fd0ef0635c0_JaffaCakes118

  • Size

    562KB

  • Sample

    241016-e2v4aawhjk

  • MD5

    4b63895b56f6474707186fd0ef0635c0

  • SHA1

    18fba057abf06abb359110db9e202f4701c4dfb8

  • SHA256

    050c95bd50fd6ea6882bb718cc06a2b692ce0054416e11184cff93ce9199e5ea

  • SHA512

    b77b7aed00aafbb9f3f5a8a6e9ed362e7c6c24fead9f7b4c7ab0d375bfc0c538ec5c9f871800a885250688983487a3c11d5e196f9be9d3f9dfe2d564e1de28ed

  • SSDEEP

    12288:nsaY8rL1VYO2cz96qsMfU+to5fJojREZWcQvEUtz:B/r3Ysz4lMto5xEOKz

Malware Config

Targets

    • Target

      4b63895b56f6474707186fd0ef0635c0_JaffaCakes118

    • Size

      562KB

    • MD5

      4b63895b56f6474707186fd0ef0635c0

    • SHA1

      18fba057abf06abb359110db9e202f4701c4dfb8

    • SHA256

      050c95bd50fd6ea6882bb718cc06a2b692ce0054416e11184cff93ce9199e5ea

    • SHA512

      b77b7aed00aafbb9f3f5a8a6e9ed362e7c6c24fead9f7b4c7ab0d375bfc0c538ec5c9f871800a885250688983487a3c11d5e196f9be9d3f9dfe2d564e1de28ed

    • SSDEEP

      12288:nsaY8rL1VYO2cz96qsMfU+to5fJojREZWcQvEUtz:B/r3Ysz4lMto5xEOKz

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks