Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 04:31

General

  • Target

    81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe

  • Size

    197KB

  • MD5

    81a67bf2a59b953f9c0f0204b2e1f3a8

  • SHA1

    a680768c148b963a6b605f3ee53a1db7b77a5e4f

  • SHA256

    21d3aab64f92f25bdfa45d4fae4d292bef24b086797099bed54e9d13fcfd11a6

  • SHA512

    2ff6b45b26db7665ce46b024aa6c2b1db14826bf9a83440ebef194f537fb0b9358a2e85b50d3df703bc9c63096ec1ba5caa49cd8d034eec01f80a7810fd26074

  • SSDEEP

    6144:nOVLnWFcxFtsFkVRTl0QdTmNPPYhnUeqP4:n8LWFc+kV1KIo+PY4

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\81a67bf2a59b953f9c0f0204b2e1f3a8_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2464
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2328
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2032
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:1896
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k regsvc
    1⤵
      PID:2836

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \??\c:\program files (x86)\stormii\%sessionname%\fxuvo.pic

            Filesize

            22.1MB

            MD5

            c16a736dcb64ae6c3733d3fc24141a7e

            SHA1

            6131ea6281d24ac7f8561b75fac0470943ef1fa8

            SHA256

            1d0cb4ae7bea1b698e1f964209bec829fcd0752de88692831b4dcc483b3ce3e7

            SHA512

            d6d97a42d07e39c9370786c378396449e896a28b1ee0788d38926bf9180d280093cb8377614487b144f29dd6d76245456a2ada8da9ff2439e2acaf2a81598edc