General

  • Target

    7cac8a2e185f32bceb004a3cdc977df4_JaffaCakes118

  • Size

    117KB

  • Sample

    241029-zgldka1kgq

  • MD5

    7cac8a2e185f32bceb004a3cdc977df4

  • SHA1

    21743b9c356b962b8c109b2c8ed1b60626425f0e

  • SHA256

    dd9f8efcaa9b5f58851e98ad4f3dd18bd9f53c4a5e32df3beb5a15ca9f842166

  • SHA512

    bb950ea92c441507215e7519e3e82e9e29d6e5adcaf4bb195d8175b39ef8bfe0a4ea50e52bbdce5a7ea1b4999265696ebfdfae4f04fda9be4083411d87df08f7

  • SSDEEP

    3072:ALk395hYXJiD/be+S67GIEp7WdK8enMOomMCOYov2pj/tDqA:AQq8/be+SPIMSd1OomYv2pzZqA

Malware Config

Targets

    • Target

      7cac8a2e185f32bceb004a3cdc977df4_JaffaCakes118

    • Size

      117KB

    • MD5

      7cac8a2e185f32bceb004a3cdc977df4

    • SHA1

      21743b9c356b962b8c109b2c8ed1b60626425f0e

    • SHA256

      dd9f8efcaa9b5f58851e98ad4f3dd18bd9f53c4a5e32df3beb5a15ca9f842166

    • SHA512

      bb950ea92c441507215e7519e3e82e9e29d6e5adcaf4bb195d8175b39ef8bfe0a4ea50e52bbdce5a7ea1b4999265696ebfdfae4f04fda9be4083411d87df08f7

    • SSDEEP

      3072:ALk395hYXJiD/be+S67GIEp7WdK8enMOomMCOYov2pj/tDqA:AQq8/be+SPIMSd1OomYv2pzZqA

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      2012517235138.exe

    • Size

      5.2MB

    • MD5

      0c18ab74958390bdbc9830bcf1f5662a

    • SHA1

      89445aa6ac30175c24b0a0e0631beb7f75e0e588

    • SHA256

      af476da6b7c38ff5e01e3543fc42e9ecdd7c83b49d2c4abe0cc4f25b0462c1cc

    • SHA512

      6d2111aa81e5fbb64f296b73be52d4fdefee18b158ebcaf5aa8b7c28cc2ef978a7a270c95ed669ca1876078626dfb6cb636c932e0fee24492b803c510a4ce408

    • SSDEEP

      3072:WI1WbJFtqTZ805ealC0WHACFOXvwtRST2kM3J5O3ttUtQhJrke:51+FtqMaMdACgv3T2Z3JI3ttzJQe

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks