Overview

overview

10

Static

static

10

JaffaCakes...fe.exe

windows7-x64

10

JaffaCakes...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2025 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5691e040c8bb50093f146229152880fe.exe

  • Size

    71KB

  • MD5

    5691e040c8bb50093f146229152880fe

  • SHA1

    27dcf548c92ffcc7b3dccb83675bcaca76b0ee93

  • SHA256

    6c00557333d5bbc08622ebd66cef57accd5dbbd18976e9ea25c927e82e557427

  • SHA512

    94d30666f3ab5ef2c39947f0ab25d30de7460b2d0ee1db19c82c2db52e09307c2a827a3f369d8257fc99ef4c3f3f50baf096e26792dbbc59ead58fc857bfda97

  • SSDEEP

    1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirys5e:+pZTvnyEZiGJ7/Qguirys5e

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5691e040c8bb50093f146229152880fe.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5691e040c8bb50093f146229152880fe.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2420
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2891400.dll
    Filesize

    64KB

    MD5

    571edeb79b44719cbac2a1553f9cd37b

    SHA1

    4711dfcdc32af57122041bfa9f8fa0127c11d6ec

    SHA256

    ecf5e930b93344bd96d124212d7010d04205d01d3776acadf58e8512c1ec32c9

    SHA512

    eec707c3c66cac1e1b88d56aa75f9a186c723242a1460692069e09cee6943995466081a8db95e6c44cc7419a608d665238b2f59fdf057ffa06028e8d681664a5

    Download Submit

  • C:\Program Files (x86)\Niud\Prubwutia.jpg
    Filesize

    10.5MB

    MD5

    ec73d92215e77640cc10ad5da5f263a2

    SHA1

    00e6e72f5fa1d645bad78aed2786a502ff63abcc

    SHA256

    f4388c2702c449040728c0b927eb17fd3d59f06206833045523a58e70f13af1b

    SHA512

    4dcd025c04aca652106389d0447dffcd583fe6a30557185321f3529735d67152f798a833304b1ced2e1ce718185be0158ef6ad7a080d936479deef73a00377fc

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    aa90e92b9c6c7e85de1c81c175492542

    SHA1

    2b5b000243346d1f8c3180bec281e2e1da232700

    SHA256

    07134ab5e0d2be34032e5f0782f68b8c20147180fc866b3dddacd15d36b2461b

    SHA512

    a6dc0ae692f2dad3ee3f132f9202682cf40fbac5f2a84a1b7e4709ec449746d33487b9cd679abc7dc196a2d19fdf07ff86077b0383673f3639c187113504c6c2

    Download Submit

  • memory/2420-2-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-10-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download