General

  • Target

    JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b

  • Size

    150KB

  • Sample

    250127-p5t1hayrcy

  • MD5

    3fc09a37f0c7da1a4d5f0486a115365b

  • SHA1

    b28715eb2931ddc5308a3bb5462e0a1f24282e76

  • SHA256

    36b8aa9315afba0c3bce729f0889fb033f01189f05e1a22994445d702ec612c0

  • SHA512

    71fde22e3de0f2ad529d5a0345985eeddaab19953087887f0c24819f55aa72ab3cba1755e3120241ceeb87519f063eaeb1a116278f796c4c2acc4b8adf4ca77a

  • SSDEEP

    3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv2r:c5MK2orQ7XAgzahdJ3s5YKIvQ

Malware Config

Targets

    • Target

      JaffaCakes118_3fc09a37f0c7da1a4d5f0486a115365b

    • Size

      150KB

    • MD5

      3fc09a37f0c7da1a4d5f0486a115365b

    • SHA1

      b28715eb2931ddc5308a3bb5462e0a1f24282e76

    • SHA256

      36b8aa9315afba0c3bce729f0889fb033f01189f05e1a22994445d702ec612c0

    • SHA512

      71fde22e3de0f2ad529d5a0345985eeddaab19953087887f0c24819f55aa72ab3cba1755e3120241ceeb87519f063eaeb1a116278f796c4c2acc4b8adf4ca77a

    • SSDEEP

      3072:uv5zQKSJs/rWDVV8EcUqgzOc8hdF/7oQkx5YbMHkdv2r:c5MK2orQ7XAgzahdJ3s5YKIvQ

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.