Overview

overview

10

Static

static

3

JaffaCakes...1c.exe

windows7-x64

10

JaffaCakes...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2025 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe

  • Size

    197KB

  • MD5

    4bb436e366bc63b6086b415a931a7d1c

  • SHA1

    e650151697cabf8a8e97bf1fc413c8e6d1e88478

  • SHA256

    023009a501cb4457ab1262cd0ccf4210e651cb3074895de7c7632bcad801b96c

  • SHA512

    e8b4bafa1cee858dcae8843f77d5b86b2661159d336226a1258312ab72e4759929924005935a45f96670638350fe244045cdefa1f341a6bcafc5b47ee8b47f7f

  • SSDEEP

    6144:gOVLnWFcvFtsFkVRTl0QdTmNPPYhVUeqPT:g8LWF++kV1KIo+pYT

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bb436e366bc63b6086b415a931a7d1c.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2100
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2332
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2888
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2840
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k regsvc
    1⤵
      PID:2796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\program files (x86)\%sessionname%\hoqwp.pic
      Filesize

      21.0MB

      MD5

      56f3671c3ecf548c09c723f54a5b0c1d

      SHA1

      de17f3049c77efce4d269e1eb4c008f15c5b5c7d

      SHA256

      26294b7f00e73bfb8d10c79397ce5ee8737fc9469adb2a19c255cee5d5e83096

      SHA512

      2fa18e6c23c16799f4f95693b1044efbe6b3ca6aea2b8fc7adcb809fe41fd83b5bc906418c6b320f8760b7b8be9dfb8639716fa5cdac10bc51e146d635ac57ca

      Download Submit