Overview

overview

10

Static

static

1

JaffaCakes...42.exe

windows7-x64

10

JaffaCakes...42.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_4c593c700580ea3d1a21b559a62c7c42

  • Size

    95KB

  • Sample

    250128-sqr45sspev

  • MD5

    4c593c700580ea3d1a21b559a62c7c42

  • SHA1

    4c24e8a90611db00deb7b8d59ff41ecaaf377730

  • SHA256

    a38a2a72aa15db5f17d99667153830c35b35fbf9b784af97872f9f6c2148f8aa

  • SHA512

    07965f26bf693d85b46ea92d20ef722525bcc1d008f6e26cffaf386ae8b499b2bcec3af590b8473d12e7df09f5f59a2232e2c921526fef94cb78fb9d524b4e04

  • SSDEEP

    1536:zMFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr/ztQrOGS:zeS4jHS8q/3nTzePCwNUh4E9/z2r/S

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_4c593c700580ea3d1a21b559a62c7c42

    • Size

      95KB

    • MD5

      4c593c700580ea3d1a21b559a62c7c42

    • SHA1

      4c24e8a90611db00deb7b8d59ff41ecaaf377730

    • SHA256

      a38a2a72aa15db5f17d99667153830c35b35fbf9b784af97872f9f6c2148f8aa

    • SHA512

      07965f26bf693d85b46ea92d20ef722525bcc1d008f6e26cffaf386ae8b499b2bcec3af590b8473d12e7df09f5f59a2232e2c921526fef94cb78fb9d524b4e04

    • SSDEEP

      1536:zMFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr/ztQrOGS:zeS4jHS8q/3nTzePCwNUh4E9/z2r/S

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks