Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 14:42

General

  • Target

    8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    8350a889a8d1c4cae4fe512d2c17b082

  • SHA1

    5f5bcb67b15a9f65a50e5d0a1621483ffa6000b0

  • SHA256

    6796c3d66bdf05fc451590201e40f1c066086055ef177eb0877316a70a9d5067

  • SHA512

    a69e4863935c6f60355f8106b07dd905a106f58649bfda61ff684d21e04f68abb86822bd308d40fedac134597dc9a12943f9bb3f9ec7812e3adeccc3ded78834

  • SSDEEP

    1536:CmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr1VJqNueG:CsS4jHS8q/3nTzePCwNUh4E91VBeG

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2640
    • \??\c:\users\admin\appdata\local\jhsiytrixg
      "C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8350a889a8d1c4cae4fe512d2c17b082_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3924
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 804
      2⤵
      • Program crash
      PID:996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 736 -ip 736
    1⤵
      PID:3180
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 940
        2⤵
        • Program crash
        PID:452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 624 -ip 624
      1⤵
        PID:4484
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 880
          2⤵
          • Program crash
          PID:2832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4980 -ip 4980
        1⤵
          PID:1948

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\jhsiytrixg

                Filesize

                24.7MB

                MD5

                9a20dfa4e653c64a86d95d0486295d83

                SHA1

                0393cfe9709c363df1c49af5fb2e7930524de983

                SHA256

                c45540d46a8c39df6c01539db0d149f84e6948caabe39c49c99fccc5d8ddea2c

                SHA512

                b547b96a6600808a5bcdd6d66f3c955ca7a4b801210c356fc2ff7a70391d7f82463d1e34ec2128ba9068eb113f3aef77e8200291898aceafdb90e55d51215d62

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                206B

                MD5

                715b8d3e99de00dfde0320125c2814d0

                SHA1

                8da37a61b259891122c5a51e0f145207163de3a7

                SHA256

                13487c6d6479b21de9e3e1daa51761ba995384fe58293b2af69283c124978a4f

                SHA512

                3d7aeb5f725c8de8b2a1e0a810c7a7279823c84166048cff6ae4cf056d432aebae0e648a2f162c53deb48211c06ce377737bfd192cb4b7c5213c9c4682e097aa

              • C:\Windows\SysWOW64\svchost.exe.txt

                Filesize

                309B

                MD5

                a1b3d9a52c90bdd750bbe642cce77008

                SHA1

                cbff5b4a9b29a2a02cd430d4596cf925fee19676

                SHA256

                8d19f38c78cc51e47c4af34e130e78d2bf7000a9219b3541092ac9291e38abfc

                SHA512

                f134ff3512a8743684de780d47b4f24f3a42d0a20328bf93a242c8d84c0739b72cc952f4137675ddd30f1f732adf7866ce9863768b72a3c9233046e5d40f519a

              • \??\c:\programdata\application data\storm\update\%sessionname%\qomeo.cc3

                Filesize

                22.1MB

                MD5

                77f6e190203fd5307d8ff0427b39b496

                SHA1

                9afee72488de4ab9d9d95124d5b49123d98471df

                SHA256

                1471faabedaefe44bcf41f64bd55f0e27a849c4982548a6e242e63b9ee68b780

                SHA512

                2d9b073cd8f3eb16e8e6d42fb2374211a1108329ae4fd526815d14fbd47d7f5cd048dab20b32cd7edf00276e3880397016b6a65b826fd3f94764c814d62a09ac

              • memory/624-26-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/624-23-0x0000000002080000-0x0000000002081000-memory.dmp

                Filesize

                4KB

              • memory/736-19-0x0000000001B00000-0x0000000001B01000-memory.dmp

                Filesize

                4KB

              • memory/736-21-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB

              • memory/2640-0-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

              • memory/2640-12-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

              • memory/2640-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

              • memory/3924-18-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

              • memory/3924-9-0x0000000000400000-0x000000000044E4A4-memory.dmp

                Filesize

                313KB

              • memory/3924-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

                Filesize

                4KB

              • memory/4980-28-0x00000000015E0000-0x00000000015E1000-memory.dmp

                Filesize

                4KB

              • memory/4980-31-0x0000000020000000-0x0000000020027000-memory.dmp

                Filesize

                156KB