Overview

overview

10

Static

static

3

JaffaCakes...87.exe

windows7-x64

10

JaffaCakes...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4a3857ce4008227d79e9b340e734ba87.exe

  • Size

    96KB

  • MD5

    4a3857ce4008227d79e9b340e734ba87

  • SHA1

    511f21dc802a3da638d13a2b03d7c3dc3e1e1a93

  • SHA256

    4f9c2f7f95bb30f624dbc49c9e69b09e84620aa76fdf47c14b1fb334b5a224be

  • SHA512

    5be43dc7514fee7254b321bc01144f0eddcf18da817f144280fc9b388eb92a5aa2d4b38f41c2122eac0830cf1dc873de320d103791a09971786d9c470d68e5a8

  • SSDEEP

    1536:jSFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnUqiG05Q:jYS4jHS8q/3nTzePCwNUh4E9nDih5Q

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a3857ce4008227d79e9b340e734ba87.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a3857ce4008227d79e9b340e734ba87.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1804
    • \??\c:\users\admin\appdata\local\ildrvgdivt
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a3857ce4008227d79e9b340e734ba87.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_4a3857ce4008227d79e9b340e734ba87.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 784
      2⤵
      • Program crash
      PID:940
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3392 -ip 3392
    1⤵
      PID:3092
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 884
        2⤵
        • Program crash
        PID:2136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3556 -ip 3556
      1⤵
        PID:4316
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1040
          2⤵
          • Program crash
          PID:2012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3828 -ip 3828
        1⤵
          PID:3088

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ildrvgdivt
          Filesize

          21.4MB

          MD5

          2e48f02894fa6bc8286601a78b3849e3

          SHA1

          de926d1abd9fba3b49dce5cde59c6a0fe240c6cf

          SHA256

          7fd228863acdbd044205dc51324ee42def58f1fc93b0144807ab1b38c75aca25

          SHA512

          c2d95ce50a2c5b5368ba828925cedfcb9f96b748613eea583b8b6ba3b3940c52d7dbfe8cf500ac2deb76fcd14dd0d6edef8c65a23e1c359cd54eefa092465488

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          204B

          MD5

          d99f56df99f16c9378801d40bd80ef10

          SHA1

          35c1b787944da85c1860883e248068839eeae501

          SHA256

          4b4d9d6ba62e9c3735c3bfa892857e61a0c7c3d4093b70d599d442cd4a444017

          SHA512

          90cfb5d8123f2447e4950cb1c480fa903dbc65bdaceeea2e429483388a533e8a0e986fa3c066f889f4cd309d0d460ad2ad0153a0c7ad558bf798c2eddbbac069

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          306B

          MD5

          0841bdf303c9b1301dda059a703e066f

          SHA1

          2eefc04ef6133871a9b7f8ce96e3b2a0a42cba44

          SHA256

          5ff7619fefb729108f38e77f475d6cabfed337500a549dee8cf7c54a7d839d73

          SHA512

          645af33c56db7277ce9c4983cbcc455ea7d76312be33c09f404dabb3e670292068e8adffe88b67c6109d2c1e450b9f8d0574dbf3a2892415f3d03b3b0b7f2eec

          Download Submit

        • \??\c:\programdata\application data\storm\update\%sessionname%\kkuig.cc3
          Filesize

          22.0MB

          MD5

          3c82c335a3e95f38bd01a6e5cf963d31

          SHA1

          f20d484fb6fadd4e676d035e98eba581d5d6e665

          SHA256

          ef3e58a9c5a9840880108f2a2564b0efb88e29a84c8b5c4713d5173711b4bc13

          SHA512

          cf06e3ba27bfdd71894cd25bad26eb7903fa9307247e35383b29933d68135ec3b8a21d4736e6db2027b0c858d608a7a403dbdf848809fecbd5b68c73650c6af7

          Download Submit

        • memory/1804-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1804-9-0x0000000000400000-0x000000000044E2CC-memory.dmp

          Filesize

          312KB

          Download

        • memory/1804-0-0x0000000000400000-0x000000000044E2CC-memory.dmp

          Filesize

          312KB

          Download

        • memory/3232-7-0x0000000000400000-0x000000000044E2CC-memory.dmp

          Filesize

          312KB

          Download

        • memory/3232-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-17-0x0000000000400000-0x000000000044E2CC-memory.dmp

          Filesize

          312KB

          Download

        • memory/3392-18-0x00000000017E0000-0x00000000017E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3392-20-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3556-22-0x00000000015F0000-0x00000000015F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3556-25-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3828-27-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3828-30-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download