Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 14:42

General

  • Target

    8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    8350a889a8d1c4cae4fe512d2c17b082

  • SHA1

    5f5bcb67b15a9f65a50e5d0a1621483ffa6000b0

  • SHA256

    6796c3d66bdf05fc451590201e40f1c066086055ef177eb0877316a70a9d5067

  • SHA512

    a69e4863935c6f60355f8106b07dd905a106f58649bfda61ff684d21e04f68abb86822bd308d40fedac134597dc9a12943f9bb3f9ec7812e3adeccc3ded78834

  • SSDEEP

    1536:CmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr1VJqNueG:CsS4jHS8q/3nTzePCwNUh4E91VBeG

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2572
    • \??\c:\users\admin\appdata\local\ghttdjkwpr
      "C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8350a889a8d1c4cae4fe512d2c17b082_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2956

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \??\c:\programdata\application data\storm\update\%sessionname%\bwpbd.cc3

          Filesize

          23.0MB

          MD5

          14bf8ce06fefdd69f2124332bc3e2ec0

          SHA1

          d848fd0b291221272eac8202f03fb113fc4577e5

          SHA256

          ca01db264be789c6b60e5b7059a0ee724f62b06ff92be8e58e7049a868701f91

          SHA512

          8d648a9d10aed28799fe1a57679d62c92a268994965ee193d1e865ed4b7849da0b1815bdda8737cb0f3cae98ae9e0e554b7ea43d42abc0c43ba1c179d02c023f

        • \Users\Admin\AppData\Local\ghttdjkwpr

          Filesize

          24.9MB

          MD5

          46a15db6efdfc526330e1d6a7a59e6e4

          SHA1

          4f3410aedd656aeaff2070131bc2114739030321

          SHA256

          0b30f1d2173aea0ac47ca3d14fdca3ddb7a6483fb9cadde5ba3738a2e78e68c5

          SHA512

          bd9160e717513225784e31b74e98bd9add1fea5d549cb979e2c25395ea7cecff893637af450c5409e3b16f13553c58d95e705a0aee7c21f96b936190a40905fb

        • memory/2248-15-0x0000000000400000-0x000000000044E4A4-memory.dmp

          Filesize

          313KB

        • memory/2248-22-0x0000000000400000-0x000000000044E4A4-memory.dmp

          Filesize

          313KB

        • memory/2572-1-0x0000000000400000-0x000000000044E4A4-memory.dmp

          Filesize

          313KB

        • memory/2572-2-0x0000000000030000-0x0000000000031000-memory.dmp

          Filesize

          4KB

        • memory/2572-7-0x00000000002C0000-0x000000000030F000-memory.dmp

          Filesize

          316KB

        • memory/2572-13-0x0000000000400000-0x000000000044E4A4-memory.dmp

          Filesize

          313KB

        • memory/2956-23-0x0000000000150000-0x0000000000151000-memory.dmp

          Filesize

          4KB