Overview

overview

10

Static

static

10

JaffaCakes...7f.exe

windows7-x64

10

JaffaCakes...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4d9736dad28dea9491936d3dbeeba07f.exe

  • Size

    130KB

  • MD5

    4d9736dad28dea9491936d3dbeeba07f

  • SHA1

    9351db850cc4e45ed5a05700ca95c9f67055eaaf

  • SHA256

    ab8677667362010742a6778ccf1a46a28a9a07fc40b24d245b9f8950b5d56fe5

  • SHA512

    3ddc042cc808fe5e7bbbee2c1cf083bfade1a73d631c3bf03142bcd9c5655c3bf73384dd5b79b444fe0a2b48f086bea86458029fe366fa75e3b61020c4b3e357

  • SSDEEP

    3072:u4jNJcm9SSSsNM3pQ2FzCBCRMkLkf+KYLVPQJ+:u4jNJAsNMfQBm1LI+KYLFQJ+

Score
10/10
gh0stratdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d9736dad28dea9491936d3dbeeba07f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d9736dad28dea9491936d3dbeeba07f.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d9736dad28dea9491936d3dbeeba07f.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2140
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:4692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\data.dll
    Filesize

    112KB

    MD5

    71377bb442f0756da018d4137a709c22

    SHA1

    d8aee70a5a600b53c5eef86c6b9efebcba89f2ee

    SHA256

    487b50028ea952787276444be7248c455574334cc5a34d05deae9e1c9c8f49b6

    SHA512

    5e6927b3c5dc90ef57300edea5b4452a0dccf38f72dc93a1cb426d6a3d4168b1eeb877e982892c7b28b2a4322c5ba79bb50a548c9be935b0b482d1615e3f40a1

    Download Submit

  • memory/3372-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3372-4-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download