Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 03:31

General

  • Target

    8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe

  • Size

    4.8MB

  • MD5

    8173bdfafc135aa867c33525bcbbee03

  • SHA1

    4b66034fcc78184b5267b98b9644af6857f395f4

  • SHA256

    df3d4b03c2fcd0050c01e5be70962d833c960aaf937765e2a043ec4ae14bba9a

  • SHA512

    4b9f289accbce3bdce2916eda477f3c3692551c72fb24312eedbe5402e02b2e2795c4ad44c8be65cf20b99bb313de479fc5a8113e294eec107dda94ac0603cdb

  • SSDEEP

    98304:8lG4ybJ2aU8LTT8Cz43cYl80kXdEW+iD5tx20SCVRFHylfGgkWGXYgMq9V:pV2r8/T8Ck2v+iD5iCVXHyG/1BMqD

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1812
    • C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe
      "C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://tg.94fz.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2704
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          000df84cdccb5291acd3ecab14a16da9

          SHA1

          e7a08449a31bd423ed324e2228b7416020ea21ab

          SHA256

          d028836cbc89843513ed94002d75f32c43d345741ab487bfc9f0d232f99d9c1c

          SHA512

          69ab1ea8a9b6852b124af304291f3186534724820cb6dc4a7ccb1b87835be9abe089f2507994a9ac89aaeba6662ba32300ee1d6e243589a75e37187534793276

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5831e71a353e0d0e7cebafeaf7a16a90

          SHA1

          6123969ce75afc7de001a1404933f9d95549eac7

          SHA256

          04d02abc8f68505d8e65d55469c4199fae3a336517c778a0a963205a92424a6f

          SHA512

          37a4e79f166a5b51925e61db95b1a93cadceaf3987ee67e1a0c4df83d57c9dbfc25f0fa2ae2c95a073e1e916734c4f1761dd87b1f6f13cd41b04c65be3e77663

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          bb7f5740576487b5da280d0c2e837bd8

          SHA1

          f19cad61eff8b4cd00633e3289df85d39cab3107

          SHA256

          60450637fcd12caf2678ee5fa57258c8cfd0c846957f141f39602d6f03bed604

          SHA512

          000415eb5b1b9e5047dc2ffb2b3dc514f0ac2342e52c0213c2c2f282d095af9bf322c06a83aa7dceb3bd56a036b500e4166a1065cf2cfb485721afeef4449be7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2b23357a9c7f856cd5e74f456d65eef4

          SHA1

          d29862ff5a066b0a2d0dd6539922429390fd9578

          SHA256

          854f555ab5bafa72e5fa1abbe16e168731d874aa0588e8b461163f5385c2c669

          SHA512

          9e3a0f94202fa68223f95c7528fccb325d0c3fef977379ed6ac00e5a7486f4528016d5709c2937a844cbb3ded9c2170c16f6b939fe6ae1281db4c1a5384fb1cb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          65252a2be751e6c096da58e964df6e81

          SHA1

          7e1fe513d1a86f01385996a97bee2a55707464ad

          SHA256

          a7f09c38ac83a7291aa99cbf27e677a8d566e5038b4968cce34c317a9d136d4b

          SHA512

          53cb23abec6d7a1d43e1eb62ac548f500635a496828572df855f7a65c27b746a99c0adb3fde9e876631d99dc8e0aed5cb9a2f55d97f763c7cf0a06e9edad410e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          13d493a1308fb59ea9a5c5ec77272471

          SHA1

          edab5a7ec244e8da87736a14fe7daa58d209a920

          SHA256

          287da11ea792e61b4d64c99809530dcaacc0c8a0fe7a3f1b7561ab792efa8304

          SHA512

          965a3a11e68608664fc841f09dc3d36a312e42910e3dc51970a10a7bdc22ba5804937c1fd5c811b537c040c98310f770001db9f0a9c7b1cb45f47705d5407fd8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b2420c7b91c3dad0e2e277139bcb1b24

          SHA1

          aba0a50017e97200fef4b862f929a94cff9dd8a9

          SHA256

          4e894eb96f33b71f3e88853f1cbf82dd840e9124ebadc428dcce1ed1ba46d5ed

          SHA512

          46f7b18f47d0ba1fb13fc06404bfe43a7d01df8f08c3712bee8ccf6c7a1b861088927a2b5e7ca77e40e1f590624f9232487586309281a09dca28a436b4ab8a5a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ebb53d6074782d296b8b9a59fe983ef5

          SHA1

          a8bb42a83afa96cf9d65e4a453f2aaffbf1c7243

          SHA256

          d363db6a7e842b4fafc3bc21e0ad0bf4625f94f5c1c5a7295fcda00b67b9cc76

          SHA512

          2ccb1aaec097c989d48dd5a50f91232d56c38e96f57da95384a5e472e1b2a9f1f75c34e32ae08d3b785eef1d4e50bce54977ce58d6f89662a7aa679fe907aa58

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b097931502ce2bdb371eddb87c5a8545

          SHA1

          f0fd3a2114877b35f13284d91bce536372e1823e

          SHA256

          0a1e78bd572020cd33acff19a40d37608526b19a2ffa1807b1e2748147f319a6

          SHA512

          1ad42a9131210a46f802b86148662397f54bf7ec21171e4235e15bec23d06ccf261e4ef100dacd1d1e9ad72fe312ad88398abdcc919aaac769b755bb30311619

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          670a12adccdcfd2507c03c606d9b6638

          SHA1

          7ee62b691add937df39386c405a3346e9108b523

          SHA256

          bf52f79b53c95af157eec0eb0d9ecf42aa63b82c17693a43019e6f0a8bab36cf

          SHA512

          c1bae469da0fa7d71f93566a2c6beaf5f4e0a07aad26daee35c0e8f3ad83fedd4e25d2dda1f58f574fd27def35a3ae98742042f8d312639458cfb6090ec1b3e8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          47643cf694eb9b6119c4cb5d4630bb16

          SHA1

          c8b5e58d41a0496a8a56ee54d2f21d632b079a9d

          SHA256

          63286b6ad18c16eaf19f9a157fd4bbce40c1f4dd80022e8109cd6e066ccb7cb0

          SHA512

          c16f4f74a0739b2922867fef00feafa807182a683f23b01877b62d6695c61317d6d5c6368b4a2e18035e91e1b3cb1191c4e2dbc54cb8000aefaccb81b77b707d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1804f136e309b8df35f9ef348e082465

          SHA1

          c33373098d0f27d8986792c6de2b85065add64e0

          SHA256

          f7e24bdbd543a4c963862b845e093cda05efb820ff9b2dd845c1b48236557302

          SHA512

          9324028003fae4812bfd6ad245f88a01c599996730b508f78069254e409a285c1e6bb485a26e9c922c98abfaae12673895c520f2aea3f1f01e051f69126c50da

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9448fb6b1d4975f44158e4877e6e25b7

          SHA1

          b458bd01b0dfef3f95032cf5b311e40c0acd6853

          SHA256

          729f186707429d7e455ee111b0a9233ba0559ac28742154c7e3939a9e800ea45

          SHA512

          c22afc7c2e3c19f3d589db0481bc09fe9f116f8424c43eb513764ba783ff733b18211908e3d7770fc36a07fc4cd63f39566cc9ad44e462dbc2fd72f7dfc067d4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f60ad2d16b39de24c55cf7d76a93c7c5

          SHA1

          44a60d8442296c2e6a03657d0dfd12df4f09e9bb

          SHA256

          93ffcc408571c0866373115e7c9879afdb46ed45606383c478de6f3e9ccaf43f

          SHA512

          fa1599460af7c40f226124a2a4a00c2d4485f6104999b369f7a7c5c6ec0e88b89301d534d64f59cd4f768031ba0b3e180f2e64b539237e782f892cd434d9e3b5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6c5410e27ab0d328517d0487c987117b

          SHA1

          eaffb9c68774d9ff087e34bda7d86ced9234cb81

          SHA256

          8658ca311b00d07eb8d042581146aae77b9c5fd9e075b7a1b676f57387853c0f

          SHA512

          b179faeb5812ca127a1b2dbed8fd4b0c94aaac3260191f0a083abae24dc3a93eb644b729c0c44a2b664b584f0a1b3decefc27f783d2fbb2a68ddea362870520f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a13201dd2b7b60941f55de05505db325

          SHA1

          66cf8c0927313ae9598f260a6c586352420058c9

          SHA256

          602c0af5f8c94c80a3e22a2c81fa4ae9320fa97d81fdff7e279ade5147156eba

          SHA512

          1199e41de51a42f8f44f8b707005b45f6b8f3baf056c9b73a8f1bca1cb13365cdf2e21466ea9b0b1c51a3845d9f25ba1ffe17fb9e57956f77dad23f020b577f0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          caac40627506c78083f52ab385f90695

          SHA1

          5b1251fd45516e135fe1753d880b2633635f3a80

          SHA256

          30841e1178c4e69898da1b1a6b88a0d8434690f339db05be63b7db154f474ec1

          SHA512

          b7b71d8ce61563764804f0529053d86f15b4920c63a198e86af816152121098af4b4e3d5fa9ec12080fb5cccea543f8b8c00280fc6cda7421e72589742302314

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9fd7400c12f9d9141932fae9f3b21d65

          SHA1

          ef96cff6e02478848f9c7aa91b6205e70f24c0bf

          SHA256

          b2b85a0df9d59d7c63ed2e2964ad412394211de1cb313dc642b18ab95814f771

          SHA512

          4e51e09f71af163363c42f200709d409562244779f8add10746bf5e922e5801169e5bcc0cbcc10d6d90e13b2797f21e8cd8c4a4efd47de48389d77974a6edca2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d75821f22c5a63e5c53e62747bdc3eec

          SHA1

          c24bb799a7b812d12db0843a7d867add159158f3

          SHA256

          8870b948e0e0a8520caab22e82bcf7e599428cc0a32b36a1a4cbd019e8e7d921

          SHA512

          55c003e74af0a50e4d20dd0730fe45a4889fbbe542dbd03b432b058969f7fb948766bd52ab53102c38fa9c7327eade2f565d65f762debfbd1ec452586f9d77d4

        • C:\Users\Admin\AppData\Local\Temp\CabE0E0.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarE170.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe

          Filesize

          4.9MB

          MD5

          c477707537564645109268f1b8312185

          SHA1

          075a960a93f706fb1d8516ff5e402814a99eabf1

          SHA256

          019f06b57860be00c9f1f3d118dbfff1c692052c595299b9e9e4407e380967b1

          SHA512

          6b9ca69f531fe705a7905a3e30c2de3257937ef8e65e3260a130bc8f08b6afbc3c8c5de0bebc9938c7c8a149574148f1098874e31e4d02644736a52c21fa0d2d

        • C:\Users\Admin\AppData\Local\Temp\server.exe

          Filesize

          123KB

          MD5

          8e1f7b3bd7b1296e645a57fbe8cd5b22

          SHA1

          f7374b8a9b2b36b5103e0297be27b62583447156

          SHA256

          02e1dfc8f92ca1932a25e00fdf7c71811b73b0e4f394234faa1057b54a3cbccd

          SHA512

          b96137b5ec95bb5adc16c9984a6d4794f811b47d36e019aedf2e5b1eb501e61dbaae9587317deb2f6adc2e317130e7754f6ac699e68d5e98c82116b1c6f0f67e

        • \??\c:\documents and settings\local user\ntuser.dll

          Filesize

          106KB

          MD5

          be785ba2258ba4163ef37105f0b82ca4

          SHA1

          389a22eaf4994c084ea0d85bb1cf65a4d0ab70cd

          SHA256

          918b2d488aa9a83558ec8341cf6e4701a3b8d8f8125105f35e381656a63df509

          SHA512

          e70c9666fbdc10509b0b24fa8682054d709f0544397981490cdc6c0f979daa827c28561616eb74c6c436959b31439c1394978db90a9a5ce36a27a49231257fc3

        • memory/1692-38-0x00000000010A0000-0x0000000001B2F000-memory.dmp

          Filesize

          10.6MB

        • memory/1692-24-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

          Filesize

          4KB

        • memory/1692-26-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

          Filesize

          4KB

        • memory/1692-30-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

          Filesize

          4KB

        • memory/1692-23-0x00000000010A0000-0x0000000001B2F000-memory.dmp

          Filesize

          10.6MB

        • memory/1692-32-0x00000000010A0000-0x0000000001B2F000-memory.dmp

          Filesize

          10.6MB

        • memory/1812-34-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1812-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1988-11-0x00000000023B0000-0x00000000023D1000-memory.dmp

          Filesize

          132KB

        • memory/1988-10-0x00000000023B0000-0x00000000023D1000-memory.dmp

          Filesize

          132KB

        • memory/1988-21-0x00000000037F0000-0x000000000427F000-memory.dmp

          Filesize

          10.6MB

        • memory/1988-0-0x00000000002F0000-0x000000000039C000-memory.dmp

          Filesize

          688KB

        • memory/2860-37-0x0000000010000000-0x000000001001D000-memory.dmp

          Filesize

          116KB

        • memory/2860-903-0x0000000010000000-0x000000001001D000-memory.dmp

          Filesize

          116KB