Overview

overview

10

Static

static

3

JaffaCakes...d1.exe

windows7-x64

10

JaffaCakes...d1.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2025 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4657f69c3e151f3bcb728628b7f06cd1.exe

  • Size

    366KB

  • MD5

    4657f69c3e151f3bcb728628b7f06cd1

  • SHA1

    c4742328eab6fbd49dae8efa6fc098ca3ad2d77b

  • SHA256

    01b58d3a2e1ba116cb73dcfedc8a4be2fb2f443ae884ae383d50de060ee0bd89

  • SHA512

    85c9c7b6dc58ee35102f118acdd076a85a421e500cc00128f8a68eb9640eab63b13ea23491cffc1576d4a347e2aa393b45bb33ee044e13080d49835d937342da

  • SSDEEP

    6144:nINgekrKFVH0pwpM9NBiBd3wxQKwaaQMoTUUNm:nINgekrKFVH0pp9KdAxQKwB1

Score
10/10
gh0stratbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4657f69c3e151f3bcb728628b7f06cd1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4657f69c3e151f3bcb728628b7f06cd1.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Program Files\Common Files\qiuqi0.exe
      "C:\Program Files\Common Files\qiuqi0.exe" "C:\Program Files\Common Files\maoma0.dll" ServiceMain
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2936
    • C:\Documents and Settings\qiuqi0.exe
      "C:\Documents and Settings\qiuqi0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\DOCUME~1\qiuqi0.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\maoma0.dll
    Filesize

    24.1MB

    MD5

    ddc2632c9600d19f5c931f6405ee65fd

    SHA1

    21426dbc6fd901d15a79feccaf69e3d27458d9eb

    SHA256

    c8b7705f4b41a0ec101e96c4cf7676659b3181bdd86f5b3dacea3bfdabcb5785

    SHA512

    2a88384e3413d583afbb4ef57be14b6fed4905d4b96a9b333af28d7ce749fcc256485b68c9785a148a1503c48e258588713c1eaf9ae91f27d9297f47efb0f49e

    Download Submit

  • \Program Files\Common Files\qiuqi0.exe
    Filesize

    43KB

    MD5

    51138beea3e2c21ec44d0932c71762a8

    SHA1

    8939cf35447b22dd2c6e6f443446acc1bf986d58

    SHA256

    5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

    SHA512

    794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    Download Submit

  • \Users\qiuqi0.exe
    Filesize

    24.0MB

    MD5

    43ff1221794ea69ac37128118aade0f4

    SHA1

    1fe8710c7b8a12afb315720f9cb99764ad430674

    SHA256

    c810ea39543a136f790b3d9a4bfe7c46bb9073f9d17ef3f3ea094f969835403a

    SHA512

    ec1e093c35fc4a1bd370de2e8b36ddbd5c019de6ce55df8fc9a52973628780096d12d7394f6fb3ab7d380f7089fcbb290e83029621c030dc19e698482d5ccda7

    Download Submit

  • memory/2144-5-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-3-0x0000000000340000-0x000000000037E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2144-7-0x0000000000270000-0x0000000000272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2144-0-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-6-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2144-4-0x0000000000340000-0x000000000037E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2144-2-0x0000000000340000-0x00000000003B9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-1-0x0000000000340000-0x00000000003B9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-39-0x00000000002A0000-0x00000000002A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2144-49-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-50-0x0000000000340000-0x000000000037E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2144-8-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-31-0x0000000000340000-0x00000000003B9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-30-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2144-32-0x0000000000340000-0x000000000037E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-26-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2936-28-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2936-29-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2936-25-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2936-51-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3048-45-0x0000000000020000-0x0000000000026000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3048-46-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3048-40-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download