Overview

overview

10

Static

static

3

JaffaCakes...3e.exe

windows7-x64

10

JaffaCakes...3e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3b18536460fe372507a5ace4d0109f3e.exe

  • Size

    150KB

  • MD5

    3b18536460fe372507a5ace4d0109f3e

  • SHA1

    75efb0d3c9ccfc2a06ddd06f8e3920c6f0ca0458

  • SHA256

    28e4192fb2b07938866a6cf3dc36a8b1178a525b0b67c217d655a4f312d71d0e

  • SHA512

    046223a8780361722c485f40859db72c5daeadc691bc8b3b1e8438a2c50eb5a6e30e44180a16ff4fd889e4825d5bc4bd7d0b29aa4ae8e07401978609e8cbe3fa

  • SSDEEP

    3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv22:c5MK2orQ7XAgzahdJ3s5YKIvB

Score
10/10
gh0stratdefense_evasiondiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b18536460fe372507a5ace4d0109f3e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b18536460fe372507a5ace4d0109f3e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Local\Temp\indFCA7.tmp
      C:\Users\Admin\AppData\Local\Temp\indFCA7.tmp
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2224
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS18D~1.INI /quiet
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\inl1B9E.tmp
        C:\Users\Admin\AppData\Local\Temp\inl1B9E.tmp cdf1912.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl1B9E.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2996
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2212
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADDBE9855138B75E1BDF8496B26E1781
      2⤵
      • System Location Discovery: System Language Discovery
      PID:568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f781c2c.rbs
    Filesize

    7KB

    MD5

    5c096da90a8c99e852396645f31d26e7

    SHA1

    1cb092648aa86b8bd177e671dadf104d8bcfcfa3

    SHA256

    48a6a31fca2e6c65ad9680e45c755c44f2fb8f6606bc439593b9449fa2065d2d

    SHA512

    94046f52c824bdc4a8098b4856ca384aaca94fb2525f84ec5d1974be72be718a83ecfe6912bb6be64a7ff7f713196c608f6e6c15f4fa885a47b63e8acf456d89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\INS18D~1.INI
    Filesize

    66KB

    MD5

    b98639abd0ec22504a1f3616044106cf

    SHA1

    fa7ce698e3724f3f51391cb689f68560e4b675e7

    SHA256

    09a17ce562da9261adab2213dc740b7638f683875f62c54195564a80fbce722d

    SHA512

    47a715eaf8151f9dd7f721033e927b3bdd296c6326e8ec0b9377ff285c8ceb2d8ca2353ee151472a8ce1ce5a7423b949ca23ef506bc44c550b59b455de9e95ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
    Filesize

    768B

    MD5

    d20d9eda31a2d0300e4589df7f352370

    SHA1

    79b46d2dbb489914cfedafdbc90e62951471b48e

    SHA256

    d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

    SHA512

    d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    57B

    MD5

    770411e363c4d2f3c0caaf612affb002

    SHA1

    c295d145d0ad5953b014d88af7550c1b677abda6

    SHA256

    2db61b50ebcb3542af125a57d217f47c2fe896a4bbfb774a82b7308eabc137e6

    SHA512

    636833ba00ef6d1d302aa5dc02f8beb430e423060de3a76188d0efae05090ed65a6f426990533dc38dcc052534e588e26257a4ebbaba83b2febeceb56d445b8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
    Filesize

    98B

    MD5

    8663de6fce9208b795dc913d1a6a3f5b

    SHA1

    882193f208cf012eaf22eeaa4fef3b67e7c67c15

    SHA256

    2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

    SHA512

    9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
    Filesize

    425B

    MD5

    da68bc3b7c3525670a04366bc55629f5

    SHA1

    15fda47ecfead7db8f7aee6ca7570138ba7f1b71

    SHA256

    73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

    SHA512

    6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

    Download Submit

  • memory/652-92-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2224-12-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2224-17-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2224-13-0x00000000002E0000-0x00000000002E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2596-19-0x00000000041C0000-0x00000000041D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2596-53-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2596-2-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-8-0x0000000000370000-0x00000000003A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2596-1-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download