Overview

overview

10

Static

static

3

JaffaCakes...18.exe

windows7-x64

10

JaffaCakes...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_47bed904c5d80f6d5c94c14454b56018

  • Size

    96KB

  • Sample

    250128-g22beazphp

  • MD5

    47bed904c5d80f6d5c94c14454b56018

  • SHA1

    f6818e0a15fc5d6162d90adff96094fb231db0ca

  • SHA256

    4999fe6aa48881f685dc24d7883007ec661b2b2c88147e7bf4dd0281634cab96

  • SHA512

    6e3956175eff21ddfe02b823d13b795b5c2ba844b35e5fac4756279295421144aebfa1f3a374d02615c43b31f595302614b06667c9e39f597708933c477b12f5

  • SSDEEP

    1536:SHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prkdrU0OBSBX:SxS4jHS8q/3nTzePCwNUh4E9kLOBS9

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_47bed904c5d80f6d5c94c14454b56018

    • Size

      96KB

    • MD5

      47bed904c5d80f6d5c94c14454b56018

    • SHA1

      f6818e0a15fc5d6162d90adff96094fb231db0ca

    • SHA256

      4999fe6aa48881f685dc24d7883007ec661b2b2c88147e7bf4dd0281634cab96

    • SHA512

      6e3956175eff21ddfe02b823d13b795b5c2ba844b35e5fac4756279295421144aebfa1f3a374d02615c43b31f595302614b06667c9e39f597708933c477b12f5

    • SSDEEP

      1536:SHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prkdrU0OBSBX:SxS4jHS8q/3nTzePCwNUh4E9kLOBS9

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks