Overview

overview

10

Static

static

3

MSUpdates.exe

windows7-x64

10

MSUpdates.exe

windows10-2004-x64

10

enlpu.dll

windows7-x64

10

enlpu.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_516da34efa2e2f6cb4d7161532af7968

  • Size

    184KB

  • Sample

    250129-b9dmesxkgz

  • MD5

    516da34efa2e2f6cb4d7161532af7968

  • SHA1

    c34ddba55a6a9155add7d451bd04acef0c3dc229

  • SHA256

    36f13661f39c9bff3e4fd6be7a5f0f951b0d4db23b8114fb1b84871d76efa11b

  • SHA512

    af9643e0146568a8b59abb59266b3c73044c52c4fafb28b5ccff1ec92828e48faebd8962e3bc032612af501909d88fb0a64f6aab97031f3095878b6f9a0d301b

  • SSDEEP

    3072:fWAEMOb4BSu8jBeosZmhwcfDG1K1l8wGeeRL7Z+xmO9/xFI5AtT0YmAYhfEwwD:fbEMOb4U5BdszcfYG8w/JLI5ItmVfEDD

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Targets

    • Target

      MSUpdates.exe

    • Size

      97KB

    • MD5

      c30111e3592bf03a022b6369c110ad7f

    • SHA1

      f7f57137a029457f132ae63c1b41eac24ac21524

    • SHA256

      239eee98bbcc692f13bffb4d01eb5588b69c75c3e97587f428ca6042d53fb573

    • SHA512

      31df97aba34d102b6b07594fd91966a5120a6a320dbec5bc34c8d4480261891a082ede96be2cd850c5ce0fab1c17a502e4f33d64731f571a15932d84708e0dd2

    • SSDEEP

      1536:bXMujB//+wHnOcWnl5SZ2gcUNEr8JiPZkoo45Ddcq+gQV/caiCj:b8udHPHGlaNJiC+Dcq+gQV1J

    Score
    10/10
    gh0stratdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      enlpu.dll

    • Size

      50.2MB

    • MD5

      16a2f5d1ac6a7f134d808050c3697a68

    • SHA1

      d192bcedbedec45f8770bf1b225936862aa78727

    • SHA256

      c57b86b7e816cddb68e0903b12c30bb0495ca4cdf69f5dee9fc281eea3cd39ca

    • SHA512

      dbb163f0fee43a2ffe9cbaca0aa8542a70570eb527efaee44748666b09d75db91f51826adbd845715633c359423cb2ab66ef8c758b62c05152ee7b9ea1296659

    • SSDEEP

      3072:tSorJcpkszwTzM6ZCtOSMiwO2njCampn6VwJ3VY0yX6a4:tSbWsazMzMiunZmd6VwJFY0yX6V

    Score
    10/10
    gh0stratdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks