Overview

overview

10

Static

static

10

JaffaCakes...7b.exe

windows7-x64

10

JaffaCakes...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2025 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_47ef94a4dfe43e62eb753ded3893ac7b.exe

  • Size

    164KB

  • MD5

    47ef94a4dfe43e62eb753ded3893ac7b

  • SHA1

    8e63865079c11cc0fc284f2d2e9cb94c2ae74af4

  • SHA256

    72d8709d71fab8e930c3284c20a3d331e2a83ad6ea5d24d6ebb97040fe3935f4

  • SHA512

    3ecfc6a464a8cc1bcb2c0e5847f3eb22e1ab63268483742af11a56725ad639aa35369ef7b3a11bc62ca8a0ee24736c805158ece85ee0469d364369fa956e45bc

  • SSDEEP

    3072:nUT6QTlxjLXCKDcMERjtJXVtEhKwBDv0cUyMUeqovO:nU3HyvjTXLiKwBDvtUAeqo

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47ef94a4dfe43e62eb753ded3893ac7b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47ef94a4dfe43e62eb753ded3893ac7b.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2364
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Gffe\Lgrpoxsbm.jpg
    Filesize

    117KB

    MD5

    e9d5c476b5ebc8e2965bd58de7086328

    SHA1

    19e365404bd5876a2a52c2d76c37424a03184c59

    SHA256

    5d9828582307bf2518739767285b8e102fb74a4e2631136779d008cd0463a467

    SHA512

    ef0ce113d4fdaee736cc765e68ac5bb5a7d4f35506266fe31c84fa5a335fafcef5b0c77590b0cddc7ce7c2df601069032ac40a9c9caef49f52fc4b3552fe6223

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    b5bde7e2e9fff380b6ef18c5e72b7835

    SHA1

    7d5c605034bc847a46c03801d9eed0d8b0e6d66c

    SHA256

    8a133e1ff760cf65c044d63558a1fb46975b83745ab149baba187e1a464ce3c9

    SHA512

    24e7999e7aabd5a4839c5d55c3d46f6e8f2c08c503c899e22c0798019a57c6da08cf1226191a0b0fffe8315b5cad051a24fcf3a456935df46a78e0ac86484956

    Download Submit

  • \??\c:\program files (x86)\gffe\lgrpoxsbm.jpg
    Filesize

    4.8MB

    MD5

    73d6791bb1a7b55be0f4ccf8294c768f

    SHA1

    b03284c25fd8837326604a86f080fe3c9d0934d1

    SHA256

    10fa156cf55bbc8a99c4f3064cc50b184718ccdeaed748b39f50e588d5b42b2b

    SHA512

    246902f91aad8378abd6799be3ae22429b905cd457ac14fcbe053f743fd7666288e2eec2e96564ba20e9f70793e6e237a789c2bfb6152bced107860ef81c7f9a

    Download Submit

  • memory/2364-9-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

    Download