Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/03/2025, 01:46
General
-
Target
JaffaCakes118_3d0ee6a117684959ffc5e4975c3c7b51.exe
-
Size
135KB
-
MD5
3d0ee6a117684959ffc5e4975c3c7b51
-
SHA1
55ae6e0255de7d79b5186dbe924b4011c7a81cb5
-
SHA256
7a2178738feab1922a22036f4323d16a1d55f108275823c0fb31b28bc223cf7b
-
SHA512
523e8f3ee2988b720c9537f28aca7421066848daaee4dc786f4771b5d5559bd6ed3bf5635631adbcdaf4e71c30f9b50c418d31a5cd4c7d2f358e26a60ee6d35d
-
SSDEEP
3072:SJoryQnTpCXmbdy3X1+IJtdFqFicvtvnkkTfQtBKwB:SJoyQn1C2bM3FLtHVcvtvkkTQBf
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 24 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d0ee6a117684959ffc5e4975c3c7b51.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d0ee6a117684959ffc5e4975c3c7b51.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d0ee6a117684959ffc5e4975c3c7b51.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d0ee6a117684959ffc5e4975c3c7b51.exe2⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD59b744c94d137ec9207b393750e811faa
SHA100f819243722e49efd89c0feb7c7990565599f0b
SHA25645fba69793ebf8071dfd49dcbd253591b83a2dbcb8b625d673a345bd99d8e9a7
SHA512f8d8c2e3de8f478652d8f5f38568432ef70d01fa9b50db322ee78f05222c788595528f77abe24c0924248b75f6a284d86400f2d9b04fc6b9e9fab473f3fc06e3
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB