Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2024, 22:06

General

  • Target

    7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe

  • Size

    311KB

  • MD5

    7ce256076e57d662a6e0b72edc562542

  • SHA1

    e034d789ea2792780b988c636145e0d6378a624e

  • SHA256

    052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271

  • SHA512

    825e51d48d816f0754db6d2590a049be2e57ac41d399ac82a83029e33e9e05312e50a361db4fc5ca99d1cb7e175111d4c54cc46e1060ac1f2ef74b0b5cef3a39

  • SSDEEP

    6144:FibDMGJyE51ZuweB+eqoOfw8Pka4qQM/83UZ0BckmxhK6Wf:YbBX5XmF8Pj3F/OUrkX6+

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3556
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:880

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\851100.dll

          Filesize

          105KB

          MD5

          a11638396cc03a0c5d9b884caf3a2f49

          SHA1

          c8e7eee257e14e07c5e8c0e77b3ac60e607308a0

          SHA256

          328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e

          SHA512

          929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8

        • C:\Users\Admin\AppData\Local\Temp\cni8414.tmp

          Filesize

          172KB

          MD5

          685f1cbd4af30a1d0c25f252d399a666

          SHA1

          6a1b978f5e6150b88c8634146f1406ed97d2f134

          SHA256

          0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

          SHA512

          6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

        • \??\c:\NT_Path.jpg

          Filesize

          98B

          MD5

          c6bf54463aef440a5df8b34a0b3d1c0b

          SHA1

          773e95f68e4d055577f4d2f3dcca81517e463fcf

          SHA256

          8e18768dda394bf613fcc1449cdcb41feaa286682f4db3837552ed8b34a2ffab

          SHA512

          333fae7557c2511b8b61d3b2ccb48f1c92307240c7ba64b62ca7318f191ac0b960f47af607c7123691da8437f40a52862a6c9b8d19da95789f617614ea6ab63f

        • \??\c:\windows\filename.jpg

          Filesize

          3.9MB

          MD5

          23a4a59f17d46fdaf1843d5ea2a005bb

          SHA1

          3b2da684fb2a39525e2b2b96c971e6657682b412

          SHA256

          fdf6afac9b6a725b341f4f6084a3cc47da5c7027faef117552f26a54cc58e18f

          SHA512

          e1f4ee055267c2ad458c03f5d5abd1bdf84a6e7f1e9ec214bc07dac804e4d6322074fd23ad8d9acdcabb7936465589a1e28188f4bd59ad4c2567b83419a8724e

        • memory/3556-0-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

        • memory/3556-6-0x00000000021C0000-0x0000000002233000-memory.dmp

          Filesize

          460KB

        • memory/3556-21-0x0000000000400000-0x0000000000427000-memory.dmp

          Filesize

          156KB

        • memory/3556-20-0x00000000021C0000-0x0000000002233000-memory.dmp

          Filesize

          460KB