Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2024, 22:52

General

  • Target

    7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    7d055ccb42eb596df67022c40bd9f9c8

  • SHA1

    4594ff62de294665eaf1d40ed5c01900151e30ef

  • SHA256

    d7e1c7cd4ab384a7ee62e691d3551bfba693ab3e0d7876d8d976d04e67050478

  • SHA512

    af2ac640b5decee17c374a00836f4daa932e1b0922f2e048a0a2c48fdb21297c538fea91ee68e34322055b96ec30aa1571bb08c7c4dff23a1bfc3ea1b30a8bac

  • SSDEEP

    3072:J0U8dYKCjUTZ4A2+2YBVjYOZyG7+x7hcLxKl:a2jOZt2+2YnjYbquhcLxKl

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7d055ccb42eb596df67022c40bd9f9c8_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    PID:2636
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2832

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

          Filesize

          140KB

          MD5

          3d199ef209f60d8cfb26af72f8fc3e7f

          SHA1

          4509774206ac3d59fce820ec65d732d03d13fce6

          SHA256

          60f0d05f2938e1438b87ec4a85c6991e4592f0423a5643293bc93895fd3fd42b

          SHA512

          0c39508395bf79a4a5ee63ecb82c2276b868ae24447ca48bcce1a76904a0cf0941fd520a32ea39e9aa77506d70b60db20723b7db2014440a6adc24e123adfc6e

        • memory/2636-0-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/2636-4-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB