Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2024, 22:06

General

  • Target

    7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe

  • Size

    311KB

  • MD5

    7ce256076e57d662a6e0b72edc562542

  • SHA1

    e034d789ea2792780b988c636145e0d6378a624e

  • SHA256

    052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271

  • SHA512

    825e51d48d816f0754db6d2590a049be2e57ac41d399ac82a83029e33e9e05312e50a361db4fc5ca99d1cb7e175111d4c54cc46e1060ac1f2ef74b0b5cef3a39

  • SSDEEP

    6144:FibDMGJyE51ZuweB+eqoOfw8Pka4qQM/83UZ0BckmxhK6Wf:YbBX5XmF8Pj3F/OUrkX6+

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2736
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2780

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\3224400.dll

          Filesize

          105KB

          MD5

          a11638396cc03a0c5d9b884caf3a2f49

          SHA1

          c8e7eee257e14e07c5e8c0e77b3ac60e607308a0

          SHA256

          328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e

          SHA512

          929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8

        • C:\Windows\FileName.jpg

          Filesize

          6.3MB

          MD5

          13c90fe45c094ab94b9b59b4932d9b72

          SHA1

          fbcc642e6d01e73b3a15fcaf85bf8726b4346279

          SHA256

          fbfc2c293c2b404b95e36a465faf58533e645e7f6104b8ea37e20a7e2349a329

          SHA512

          e6811bd7fc8495d4695c74fb49aea0d199bf938d78f8e9d1aa8294f7528dd5e0d391180596dd506b07656f1415c2b86f34091fb2bbe655adf3eb006425773954

        • \??\c:\NT_Path.jpg

          Filesize

          99B

          MD5

          a979ea484d61a85dba13ecff470331c4

          SHA1

          33e436395aa6d706d1c2bd85d3d9a23b29487089

          SHA256

          9d21a3d928ff67a542d0338e16ef9526fc2700da93fdb146d8550ab667e4e7e4

          SHA512

          5ad2c6ffa2bdea4a38b5b0b718ca6cfa29f84b945baad47dbad50e23b0f054b97249875d85aa67063170ac458295ef01b604ebc811afb61e63800de50572f856

        • \Users\Admin\AppData\Local\Temp\hml7A4E.tmp

          Filesize

          172KB

          MD5

          685f1cbd4af30a1d0c25f252d399a666

          SHA1

          6a1b978f5e6150b88c8634146f1406ed97d2f134

          SHA256

          0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

          SHA512

          6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

        • memory/2736-4-0x00000000001D0000-0x00000000001F7000-memory.dmp

          Filesize

          156KB

        • memory/2736-8-0x00000000004A0000-0x0000000000513000-memory.dmp

          Filesize

          460KB

        • memory/2736-0-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

        • memory/2736-17-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

        • memory/2736-18-0x00000000004A0000-0x0000000000513000-memory.dmp

          Filesize

          460KB

        • memory/2736-20-0x00000000001D0000-0x00000000001DD000-memory.dmp

          Filesize

          52KB

        • memory/2736-19-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB

        • memory/2736-1-0x00000000001D0000-0x00000000001F7000-memory.dmp

          Filesize

          156KB

        • memory/2736-2-0x00000000001D0000-0x00000000001F7000-memory.dmp

          Filesize

          156KB

        • memory/2780-23-0x0000000010000000-0x000000001001E000-memory.dmp

          Filesize

          120KB