Overview

overview

10

Static

static

1

JaffaCakes...3c.exe

windows7-x64

10

JaffaCakes...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe

  • Size

    224KB

  • MD5

    3b9d1a2900223810cc0168c0ebec303c

  • SHA1

    f2856930c0590a6fddc76b1eb520473bb31c34e3

  • SHA256

    7854d2a4eee142a4382472dfe90a063eb41ff1957e3186dedc146b070831e06f

  • SHA512

    7fcb2b40b0b4d19aa8750cc2bea364d63828960052ee9f16517f9dba399c502571ca09d8215f43f4892760c596be997d28c51cdc2ec121bc53ea993c7c23af10

  • SSDEEP

    6144:msOZtaqC2RShTSUd2SHZI+regn4ksb1LhK:MZtaqkNSUYSHZI+regn4kKs

Score
10/10
gh0stratdefense_evasiondiscoverypersistencerattrojan

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • UAC bypass 3 TTPs 3 IoCs
    defense_evasiontrojan
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b9d1a2900223810cc0168c0ebec303c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Program Files (x86)\Thunder Network\XMP.exe
      "C:\Program Files (x86)\Thunder Network\XMP.exe"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\PROGRA~2\THUNDE~1\XMP.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2824
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k Zlh0dkm3
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\bgf0qq.pic,CreateExaminePage Zlh0dkm3
      2⤵
      • UAC bypass
      • Deletes itself
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
    Filesize

    174B

    MD5

    a2d31a04bc38eeac22fca3e30508ba47

    SHA1

    9b7c7a42c831fcd77e77ade6d3d6f033f76893d2

    SHA256

    8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531

    SHA512

    ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

    Download Submit

  • \Program Files (x86)\Thunder Network\XMP.exe
    Filesize

    333KB

    MD5

    97405665bbdf4fbb45b080aa89791e69

    SHA1

    e5a7c19c1caf98b42fe664983105b60197883c75

    SHA256

    9e8fc4389e6e9849cb2a25131034e2452bbf62dc39d22aad7f304ff6be9b3bb6

    SHA512

    e600e347662b05b128cf1ac0bcc8ba3aa536cc2e5506d3e793862d625fcc4dcbc941e6d1ed9b4480b0ee799a798852ec2c616698adbacfce27994b72a6fe200b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsu75CE.tmp\Banner.dll
    Filesize

    4KB

    MD5

    0116a50101c4107a138a588d1e46fca5

    SHA1

    b781dce23e828cf2b97306661c7dad250a6aaf77

    SHA256

    ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b

    SHA512

    55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsu75CE.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • memory/2776-31-0x0000000000340000-0x0000000000365000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2868-33-0x0000000000130000-0x0000000000155000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2868-47-0x0000000000130000-0x0000000000155000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2868-49-0x0000000000130000-0x0000000000155000-memory.dmp

    Filesize

    148KB

    Download