Overview

overview

10

Static

static

10

JaffaCakes...62.exe

windows7-x64

10

JaffaCakes...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3e19fdf56e2975106fc88e4bb1d96d62.exe

  • Size

    110KB

  • MD5

    3e19fdf56e2975106fc88e4bb1d96d62

  • SHA1

    ce15870af3b18691ed9c3a65f006d09a19d02f44

  • SHA256

    8179d4d0e98a6f13b80a50a94159ee67d2007b82a705352993eddd6e266e7412

  • SHA512

    a2a3d339dfd52bdca5c2b3d06a1e5393f08f446ee3f0f3a9f06d0330b5dd9331e0c43856b892a06ae369e1fbfff808317f0e62509ff90c97ab235e236fa3c53e

  • SSDEEP

    3072:OjcmvxEBs20GjoP/q5Ap3cFIDwtlcdq86/f1NkUsRTz:zMxEBshGjE/qnF1lkZSf1CUsd

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Drops file in Drivers directory 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e19fdf56e2975106fc88e4bb1d96d62.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e19fdf56e2975106fc88e4bb1d96d62.exe"
    1⤵
    • Drops file in Drivers directory
    • Server Software Component: Terminal Services DLL
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    PID:640
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259514511_res.tmp
    Filesize

    98KB

    MD5

    4948978eab7df48b1b15fae28cc51f48

    SHA1

    fae2127e6181125e998b26e6e710b1d006a47af4

    SHA256

    c52710c1ceeb0274a4636b354fccdb98db2c1666960c5c7ae5d95c25aba4a788

    SHA512

    1bd628c9fd4695bf2b00cd6af6722d93355c5c2d356a055669c9b3fdb0436134180598b569be4f04adecdced3dd992383fd17109680dfa192ea2adf1ff614b85

    Download Submit

  • \Users\Admin\AppData\Local\Temp\259514449_ex.tmp
    Filesize

    98KB

    MD5

    7c2969e3c9f2a1c41623c8b0939a8418

    SHA1

    a8f902ca3f75b14db1ab72f461c2f869424ef410

    SHA256

    5471f3b6b714a63b16564ae6dbc8b02b83f41fea7a7a956cfe7ca15c4130eaf2

    SHA512

    2e4db9001b7114b1adda26a8ea026144cedd226a73201aca414ba0f39df24e5f64dc66579315702cf748819b0324b241c3628234491d19f4d3f3fd12fb147632

    Download Submit

  • memory/640-0-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/640-10-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download