Overview

overview

10

Static

static

10

JaffaCakes...75.exe

windows7-x64

10

JaffaCakes...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3c1ee7e5376bd0e17d4fb3d405ad3975.exe

  • Size

    130KB

  • MD5

    3c1ee7e5376bd0e17d4fb3d405ad3975

  • SHA1

    ef761b3feb238194f8fc9decc965818d24811df6

  • SHA256

    1a9f0e39e34e4f7ec9e5a232b173c4808636e9d543339a199f35e06f18d0ff5b

  • SHA512

    0c16469b68a4d3191b771fcbb223ecaef436d51158d4d8de7c3e7dacdb393d1ab4499a809916b66384a7944320f02e02e206055eb52fd5329035d0f14a0a0eb8

  • SSDEEP

    3072:Lg/O6L+DcPYCPu10iD1LVo7p+APiFTk7U+5hWDJkQ:k/O6L+D2YCQnToN/iFTkU+vWJ

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c1ee7e5376bd0e17d4fb3d405ad3975.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c1ee7e5376bd0e17d4fb3d405ad3975.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1512
  • C:\Windows\SysWOW64\SVCHOST.EXE
    C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS -s FastUserSwitchingCompatibility
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:3680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\documents and settings\local user\userdata.dll
    Filesize

    110KB

    MD5

    cc269bdbe7e61d34a26f94ebd0cc73af

    SHA1

    2b5116c09e57e4db424e6d78d88dbbb2cf094ad3

    SHA256

    6934a2f2e0f9a886ed5cd558b2bd669669b674fc770d44ff7e477d8f292b8ae0

    SHA512

    e5eeb92fbf1521033c1a24b3e9b8c75e3fedffc14042df75778e548525486d263d960fdd6a4bc43312f0b778b4dedb234e7c373eddfca492ce2538c6e9538b7b

    Download Submit

  • memory/1512-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1512-4-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3680-6-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3680-7-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

    Download