Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-01-2025 17:44
General
-
Target
JaffaCakes118_422c2de721f1241da6aaf7c5584162fd.exe
-
Size
146KB
-
MD5
422c2de721f1241da6aaf7c5584162fd
-
SHA1
144f717c93afd0e25924a6677821c630e2028ac1
-
SHA256
6102dae7b7d0fef08b08fb9faadb1bc7cb75ea5bf78772d228c5e9c7b45b80ce
-
SHA512
468bf02960be2f3c77540cb0ef6ab06749a84bd5885ae0bebc44d142e1eaa0187550f7c62b9966e071ba53b453f0dda6514e26ec407f87330e1b378b7bfd376f
-
SSDEEP
3072:NgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:NgEehkHkmMoY0xoV00uz1PZAS
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_422c2de721f1241da6aaf7c5584162fd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_422c2de721f1241da6aaf7c5584162fd.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD59ea83111253838ac029211df562cd717
SHA1e1ef851cb46bb7423ac785f1d4846acc9684b2cb
SHA2560efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f
SHA512345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786
-
Filesize
115B
MD559937e03c18ff627b5080fd8a77b6901
SHA10ba5366193e3103b9e245ba63aae2cb54734c342
SHA256945653271fd1171738b6eacd948da148d5cb16002dc0c1e48354bf0bbecbddb3
SHA5125f0bcc62b187175d601427d73cf0582541437b3145c4043d8ea2fe795b06b50712783e8a1a23e92d9b7fc9b09ab1d1a0bd1d789e8d4f59a99dd46918aea49983
-
Filesize
5.4MB
MD5f5a4aad05d0a35371e10ad66fdff8492
SHA112fd344ff88ea8bf7a48187098fdc1633b46eb7e
SHA25647cab7430d825ad3a0ec3afd9750f4cfbc7d091579cf8c99158fddf576450528
SHA512e3b8a0907d6d80ce75875074453ed1d54f922d16122bddff8f1613a7f65e401ca37c737fbb67ac7cb4e77286330d76391402481c86caf389e465f334ffefea82
-
Filesize
144KB
