Overview

overview

10

Static

static

3

JaffaCakes...02.exe

windows7-x64

10

JaffaCakes...02.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4128e44f1d14b6ba04ac744ad434d402.exe

  • Size

    518KB

  • MD5

    4128e44f1d14b6ba04ac744ad434d402

  • SHA1

    33efef5e8c9c48c3be35612af6d0c7ac9797d736

  • SHA256

    00a694cdbe727236aacdcebbf78d079f7556be71f95dcab9efa2a49454cad8b7

  • SHA512

    7fa340e65a1151b026e0aca5334dbb8d501688ee42f77f47e21935d5877cb1f51277b5dccf88af277cd8517e50e46a8e2d23705e2288ee75976beed16b15044a

  • SSDEEP

    6144:kbB5jfgexjptZL02vIMoIcGRU0MQmEMRxlroXnuUEF9GCpiQdu50CnP3xIxHIYP:kbB5jfgexjrOA9NRPmxwX/itF/

Score
10/10
gh0stratbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4128e44f1d14b6ba04ac744ad434d402.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4128e44f1d14b6ba04ac744ad434d402.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Program Files\Common Files\qiuqiu.exe
      "C:\Program Files\Common Files\qiuqiu.exe" "C:\Program Files\Common Files\maomao.dll" ServiceMain
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2704
    • C:\Documents and Settings\qiuqiu.exe
      "C:\Documents and Settings\qiuqiu.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\DOCUME~1\qiuqiu.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1596
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\maomao.dll
    Filesize

    24.1MB

    MD5

    b4bba4847fe75772f94968aebcf3d617

    SHA1

    b387fba5da517c980ab95875aa43d75e79adb93d

    SHA256

    d5e726d2309e9173fb97dd3c202e604d79101a0dcdadeb5e8c832e9605d3f81c

    SHA512

    99f4cf09961376b8dbf459cbe01070dfaeeddef6761a208b54fd7eef8ffbee230fb0a069817ad2c307194bcd87d5d746f2ac3474f11c184296f6f22e886ccbdc

    Download Submit

  • \Program Files\Common Files\qiuqiu.exe
    Filesize

    43KB

    MD5

    51138beea3e2c21ec44d0932c71762a8

    SHA1

    8939cf35447b22dd2c6e6f443446acc1bf986d58

    SHA256

    5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

    SHA512

    794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    Download Submit

  • \Users\qiuqiu.exe
    Filesize

    24.0MB

    MD5

    0c0570b0085b25c08cab1b160334cf24

    SHA1

    6f66a64c5403a8487c00d5209e5ba0a839bbaa82

    SHA256

    624887e8abeec4a2b772cbf74642f3c2df5d0c43971ab1c07e738f9e1d68a0d3

    SHA512

    6e7d1ddde7b7e2b95c4ad56d29568eb5058462a044a7f064cf9c77bc16eef6066b11ee8c4a7d629c40659befaca4866fe4c73d4058cd2728352caec9b2c33a09

    Download Submit

  • memory/1420-29-0x0000000000310000-0x000000000034E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1420-34-0x00000000003A0000-0x00000000003A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1420-4-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1420-6-0x00000000002F0000-0x00000000002F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1420-5-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1420-3-0x0000000000310000-0x000000000034E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1420-2-0x0000000000310000-0x000000000034E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1420-46-0x0000000000310000-0x000000000034E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1420-45-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1420-1-0x00000000002D0000-0x0000000000349000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1420-7-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1420-28-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/1420-0-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2704-27-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2704-24-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2704-25-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2704-23-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2704-47-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3008-42-0x0000000000020000-0x0000000000026000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3008-41-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download