Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
28-01-2025 18:25
General
-
Target
JaffaCakes118_4df51c9c1d1ba6d3c9778c07bf4151af.exe
-
Size
134KB
-
MD5
4df51c9c1d1ba6d3c9778c07bf4151af
-
SHA1
0dce1ef639d7d9f672a89c404917e9902759e5ff
-
SHA256
c2d170f6043dd3ea76340e24ec27bb96cf9b77c554251d00f885d25fa7e2d017
-
SHA512
f7061dc4b242d21d97a6abcd3c85d428121121be18f14b18dcef4d0ccbfd61baa232456f38bdf4d16362d12dce365f9ab40ac276d6f02d4aeb927e68691d7ca0
-
SSDEEP
3072:qOrSnIpxpsrZg5gSvWOUHdUeM+AqOELvNcbDIr9wzA:qOrSnixmgfFUHidJqReDq
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4df51c9c1d1ba6d3c9778c07bf4151af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4df51c9c1d1ba6d3c9778c07bf4151af.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\SysWOW64\svchost.exe,main2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376B
MD59caf4502cf2e30737e527dd838dd7cad
SHA1fbf6465e77725ad9f3100ede74a7de7b1cbc1761
SHA256e1ff2c17aa2a4d7bae72ed53232576543705f9ebb0c9cc79e4e3907f739eb769
SHA5125aca15b0aebe387576e2d41f15f3178361010985c38f6d3fa7dfed493135070130e13f0378df383c08cb49ba357eebb6301a5991353695b2a7b499e578e515ec
-
Filesize
120KB
MD5f831056859560dc7ea6a212c0f4ebdd2
SHA17a4155261a725bad8c619d4d74e9dd62273b443d
SHA256914a9b13fc2626ca8e513df314f1ddd426b5311251d2705542daf3dc50ac4cea
SHA512fdffc09b7b06869f7a8fd935add428fb2c606a16743c13d285e8337abc1407f4728a2c86100c03406f50b96e6e24841bea9cfd6920d64cc62f91c153106a2b85
-
Filesize
140KB
-
Filesize
140KB