Overview

overview

10

Static

static

3

JaffaCakes...95.exe

windows7-x64

10

JaffaCakes...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe

  • Size

    220KB

  • MD5

    497730398d40b55e7e969e8784b68a95

  • SHA1

    f0a84bc368acead6be937eae9192a7e24f878e46

  • SHA256

    71543c8e405705e9bbebc3f7f0d6bb954c0f4da8e00ead618ff263ed3ba144be

  • SHA512

    f1a72f2335daec7faa3e2a97abe0ce05a4f6946dd27fd2e635b4179ad240c05d3c5d77da0bd37f0c4d9e2834b74a9deea823aa8ab4fa99d52618df8babe04ecc

  • SSDEEP

    6144:eOPj2DfX0VSn3mZJRH3pyv9i0MTUC4+OpSLWg4:r2fk42H3pkE0MTj4LSa1

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_497730398d40b55e7e969e8784b68a95.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe
      "C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe" /S
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • \??\c:\program files (x86)\common files\jvoylvruhm
        "C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe" /S a -sc:\program files (x86)\common files\%sessionname%\a-easy.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:5024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1080
      2⤵
      • Program crash
      PID:1248
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5024 -ip 5024
    1⤵
      PID:3776
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 748
        2⤵
        • Program crash
        PID:3952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1008 -ip 1008
      1⤵
        PID:1084
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2884
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 928
          2⤵
          • Program crash
          PID:1292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2884 -ip 2884
        1⤵
          PID:4568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\%SESSIONNAME%\A-Easy.exe
          Filesize

          21.2MB

          MD5

          a006d9dc4a5974858f3509db67ee01c0

          SHA1

          756d7cd8f9c6f107cac1caee19ae69ffc733ab18

          SHA256

          eadbd396b7a7921fcf1c315325a91baf81a16f83712b71c53491f8eca40cad1f

          SHA512

          b1c293a21348825ddc25f9ffc2891a958e4c1c95f414401c83e2487fb16aab65593c26f7e3645012ecf07592956bc4b2382f4e63d018c28856e094268354962a

          Download Submit

        • C:\Program Files (x86)\Common Files\jvoylvruhm
          Filesize

          21.2MB

          MD5

          0c95e8ebfb147cc1e58d0e54a4a3b2be

          SHA1

          c3962de225ed035a304fe8a1e74e0f79d00bc55e

          SHA256

          fd84ed4727294d50c4bd81c650aa014404550fff9e8286418bd66636fb76b847

          SHA512

          8f91b8b03550150905a6a70ec14a03a832fc5c5e81d3349e7a5b7d2d869187398e1904d711803fd95cf671585c82ab91248a437ded669f6523c3e5b8a75b12e3

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          202B

          MD5

          7bc8e26ae40abd1961da02f6401699ba

          SHA1

          7bf59671e4364071ddbce4101d393cc5ca57bbca

          SHA256

          a950e1ca9a0665e5050bfc4b7459c00e37296468f44f8a93e4197262e25637d7

          SHA512

          8a36a5a56c787a311627011cc0f91bb785f6c20e729a16dcdbec9bf4f4d5a9a600ed445e65c61eafba9d0faeaf5dfcb3b24e66cf87c0debb8a0d265b7556a173

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          303B

          MD5

          1f1b2e19a866ac79bab446bb296215e6

          SHA1

          a0375f776c64f7bdeb2cffee136838a1ecc48f99

          SHA256

          83319a3a46b389da0b1db6ad4af0e49d23896effad4b6a1861c75408105d404e

          SHA512

          4793281aad4b723cd0082af5836e7303affda7ce3decc46e10538b2d27f26f12c502bd82f99fd0379ca169f73a9be3424a9da9f44c10929229151719fcd25f0f

          Download Submit

        • \??\c:\program files (x86)\netmeeting\%sessionname%\wteoh.cc3
          Filesize

          20.0MB

          MD5

          f8e1448631e5be0b1674f217846ad3db

          SHA1

          51b88ab40b5e894ee5f3a289bf614263c1c5af46

          SHA256

          238ccee9d53b2c9c2960daccef94cdce5136e3f2d2dd26d34ed78a84b29ce961

          SHA512

          5dc30551d684da27bc7c46360f2b55712c178463836e177ed9955df7584c3d3e9a8f03013cfdb3e3e053cbe9bf15f6b1313829dd7283d13387fbc6501dbfa920

          Download Submit

        • memory/1008-30-0x0000000001E40000-0x0000000001E41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1008-33-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2532-18-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2532-14-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2532-16-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2532-25-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2532-23-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2884-35-0x0000000002040000-0x0000000002041000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2884-38-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2940-6-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2940-8-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2940-7-0x0000000000434000-0x0000000000438000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2940-17-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/2940-5-0x0000000000400000-0x0000000001955000-memory.dmp

          Filesize

          21.3MB

          Download

        • memory/5024-26-0x00000000011E0000-0x00000000011E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5024-28-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download