Overview

overview

10

Static

static

3

JaffaCakes...d3.exe

windows7-x64

10

JaffaCakes...d3.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3d7dc68e9ded817b01629c60d5051dd3.exe

  • Size

    270KB

  • MD5

    3d7dc68e9ded817b01629c60d5051dd3

  • SHA1

    e242215ebc88a3f3dae6be6fb529a30cf35b2a90

  • SHA256

    2af800e3d5ec67396314fabd72fb543f4773b08a0c7ef4e2ab9b0906e7607b1a

  • SHA512

    2a1537a340e8ac1fc2735185d1ad3580702aacc8c2589aeb6d9b0112da83b0026a1a735d7c81585f82a53ae8b11e325d92224a3af5495444ca0ba28b27500a2b

  • SSDEEP

    6144:EF3ge/Luz9FR1eTboMMjZstEGnUKvf8QLBBzAM+GuN8QpKPn:o3ge/LeL5FGnFlLbzL+jkn

Score
10/10
gh0stratbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d7dc68e9ded817b01629c60d5051dd3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d7dc68e9ded817b01629c60d5051dd3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Program Files\Common Files\qiuqi0.exe
      "C:\Program Files\Common Files\qiuqi0.exe" "C:\Program Files\Common Files\maoma0.dll" ServiceMain
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2876
    • C:\Documents and Settings\qiuqi0.exe
      "C:\Documents and Settings\qiuqi0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\DOCUME~1\qiuqi0.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\maoma0.dll
    Filesize

    24.1MB

    MD5

    e3260113e1a61ce5b39746b2fb1dfbcb

    SHA1

    329120d117a1230e23a567cfbe74eee01d51d22a

    SHA256

    95e7d12a9f423636c743411340739a93aa581a890af87ef08fa934bd142bbe01

    SHA512

    377dfb03c1b60c91d3148f476a11625ba87d93b7de153d7d1413ceb9c02d2abf70d16082152b5c11beba17140434839e366425876249fef479e8585df08cf6fd

    Download Submit

  • \Program Files\Common Files\qiuqi0.exe
    Filesize

    43KB

    MD5

    51138beea3e2c21ec44d0932c71762a8

    SHA1

    8939cf35447b22dd2c6e6f443446acc1bf986d58

    SHA256

    5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

    SHA512

    794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    Download Submit

  • \Users\qiuqi0.exe
    Filesize

    24.0MB

    MD5

    023f45e0b0e060d2e2c2c595831c032e

    SHA1

    5989bcc1112ba4dd7b09cc4ac314a795b62139eb

    SHA256

    73a2acb8234f372efd459c49ec0c77ed435aa9b6cfb87fc48d96894066debee4

    SHA512

    560fc4fd55a9cf855383b241d8c911599aad297e84f326492e7975ce6ab0a7b19fc6fef2164b6987f2989d88e9251870c5065aaa3645a5832476cad521baeb0a

    Download Submit

  • memory/2608-43-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2608-41-0x0000000000020000-0x0000000000026000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2608-42-0x0000000000020000-0x0000000000026000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2608-36-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2812-5-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2812-3-0x0000000000280000-0x00000000002BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2812-6-0x00000000002C0000-0x00000000002C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2812-46-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2812-47-0x0000000000280000-0x00000000002BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2812-27-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2812-28-0x0000000000280000-0x00000000002BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2812-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2812-7-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2812-35-0x00000000002E0000-0x00000000002E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2812-4-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2812-2-0x0000000000280000-0x00000000002BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2812-1-0x0000000000240000-0x00000000002B8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2876-25-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2876-26-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2876-48-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download