Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2024, 00:21

General

  • Target

    7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe

  • Size

    134KB

  • MD5

    7d3ed07df7fa59df87e75d2adcfb5181

  • SHA1

    7dee2262bc70b31667e2f96ebbf6943d3fa2c6b1

  • SHA256

    d4b9c9c3d53bb614bba05b7db0e3f2d06c7c328581019c617ecfb7953cecd277

  • SHA512

    e324e3a9b60b39199a8e72b6fbad7364118607588a1bdf1f311180e985bec42bf5739ae5efffc2ab91f5cd9da257972291b75985f3a4181f6fba97556806db05

  • SSDEEP

    3072:MMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwL5iGHeqovv:M3JVGpxx9b3wZuwL4GHeqo

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7d3ed07df7fa59df87e75d2adcfb5181_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2984
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1940

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\1038700.dll

          Filesize

          101KB

          MD5

          0f3d0a39f82e6ea8e7a38e2757e0ba8f

          SHA1

          c751f50c0032a73c54dc9bf2e915d89a789fa0d6

          SHA256

          3cc95a94fefb27841dfda8f8304c3a54fe3c0312b1026c5ef7fc346ce4a39eda

          SHA512

          8152b0e91a1f4d2a8539b19bd41c2964bfda35cdf13d716cdd5fa78fcbea08c4e00972b2926c047a9e2c43fbe8fee750c9be751aff3ff93b13e1340536e0f6d8

        • \??\c:\NT_Path.jpg

          Filesize

          99B

          MD5

          91202ead1372f735e58f7695d1f484d5

          SHA1

          8219a0c2e5679e4a5f2739f56eb5ad4b6f2357f6

          SHA256

          03d3155c60164c8c9a88591c24f6f44c1a2a21a3d2bfbdb80f801c6449263b34

          SHA512

          b4957694128c3258799f9b4b2098746f381bf008e160db5793081b757b1830fd378ca519f90abd51da19f0a2ff726a01cd3f021a49c063b847b5846453196529

        • \??\c:\windows\filename.jpg

          Filesize

          7.5MB

          MD5

          9e7735878e330566435800a1215a04ea

          SHA1

          6ccac55f336f90d835f4ededea1b4854a4d41041

          SHA256

          7a0151287307563b75e9781e4192c2650164ccd048511215ab9a6237f45c06b4

          SHA512

          92e68f3a60f08f063c08b38c425d4c1f9cf398fcf256571a44acc308f3c5a417567b33608ff6d70aa73fcad0295c6205e1cae098ca14503d58160383d49f87bb