Overview

overview

10

Static

static

3

JaffaCakes...5e.exe

windows7-x64

10

JaffaCakes...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe

  • Size

    321KB

  • MD5

    3be35fb0f28a5f841cd6765827785c5e

  • SHA1

    eaddef60d78bc8fcfd426541453b0504748f78c9

  • SHA256

    c4a0bb6d9044522198049699b416f78168fa5ac7adcf577de5471a245cfc4af0

  • SHA512

    bf88d6f6f69968b84b8fa24630f9fcb044019e4b409a38f8c6801696d68713d2cd7de94b35affaaa4f742d78e17d33bfdd2eb041f6bc7ded4e2ee117c50d7c4b

  • SSDEEP

    6144:p7j1MoraeUuq4H4nDWgRAkPUHtGQn8xID0DMF3GqpKHeLu1keWcw1Weqo:p/1/We+1R3PGGLxe0DbdUBceH

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be35fb0f28a5f841cd6765827785c5e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:368
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\115200.dll
    Filesize

    101KB

    MD5

    0c442fcf389301e632c2c5ce2804553e

    SHA1

    117b7727484b3e8d1c3f2505d7093b3876a8ef1b

    SHA256

    c7d1349fe706f0d8d9600b43ff60b7cbcd6246013cf38810e3c201454315faa4

    SHA512

    328135fb8c859137f53c5e5235c551f1c7cefa93be6f84dad6df69113de9dd6370dbcef9f9007fdeb1fe3ff25808fdc460e5691c2628619f2e96910dbc31ae14

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    98B

    MD5

    92f148d11e97ab2028898b1426710634

    SHA1

    e92b8358b0867efc9f700794c2fa850768324235

    SHA256

    2d15f8e206fcb79f7511e92f590e42f65279b07916c191b3bb9cce1fdf1d2d8a

    SHA512

    1b3f0ce88154c232494c2beaef92d9bedbfe1c75881e810f9a1298158edd9a43a8c8108c334eebcff8af4c44ce2ee80ef9545a5374edc79e642a4686dd4639bc

    Download Submit

  • \??\c:\windows\filename.jpg
    Filesize

    11.0MB

    MD5

    48deb08c9935b18e4b25defd569b0a7f

    SHA1

    3aded21e9393efa7c1c38c282b30ff1dcd96de18

    SHA256

    b50004852d3d74365cc881f190e439b03ce90fc7e8f44afc824ef00d9b7cb361

    SHA512

    e254301b37b6f80139d43cf8589976f9af9f20584aa247c4a909b5806b148b8679b3c55c602af033383bc4f6edf3ab4ae0240b71aefd245bfa9d7e4581c462f6

    Download Submit

  • memory/368-4-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/368-9-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/368-7-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/368-6-0x00000000024F0000-0x00000000025E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/368-5-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/368-3-0x0000000000610000-0x0000000000650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/368-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/368-2-0x00000000005D0000-0x00000000005D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/368-21-0x0000000000610000-0x0000000000650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/368-1-0x0000000000610000-0x0000000000650000-memory.dmp

    Filesize

    256KB

    Download