Overview

overview

10

Static

static

10

JaffaCakes...9b.exe

windows7-x64

10

JaffaCakes...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2025, 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe

  • Size

    156KB

  • MD5

    417811564bbe489d3117fd04b338ac9b

  • SHA1

    2ea1cb7e18666b7a52b1b099d2e151c7b4a35abf

  • SHA256

    6be071163d6340ff98a0b9fe175f14144dbc751874b5dc5eeef8a83d91010889

  • SHA512

    f0b0189ce9ef3d1259eb18c897dddbb9fae67fbe5e6c30671c01ad055924a851c94f8458c936a9219249c9b0210a01d739f0c21f4d41cf9bcf568936bf39db43

  • SSDEEP

    3072:3hDj44zniIHhEF+AdDSpxXepxwiQEhiM8BKj:yqii2TIp9kxwiQEd8BA

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_417811564bbe489d3117fd04b338ac9b.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Documents AND Settings\apple.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\system32\systeminf.inf
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Windows\SysWOW64\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2284
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c apple.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1932
  • C:\Windows\SysWOW64\hqoped.td
    C:\Windows\SysWOW64\hqoped.td
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\krjetttc.td,hi
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents AND Settings\apple.bat
    Filesize

    94B

    MD5

    e39e318e5b231fdf5f147640c71c2096

    SHA1

    5fe5815abf87c414d29babcbe914e70c062a705c

    SHA256

    3dfb3bbbd87f29fe338b97fef70b525ed754c6b980698c426bc32156c93914e2

    SHA512

    398b78921d487e135429672488303d7a641907c2124310a55c22cefd061f358f1c15375b7fe1a8919f0fc7423136c4241d714f312d675506bc69dea35b1dbfc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\apple.bat
    Filesize

    2KB

    MD5

    6054523340f99a6da8dfc1480255ca1a

    SHA1

    354be1f2ed6abe678592e6c0a9d24423fada5830

    SHA256

    4532c92713df61d216fe26ef754fb2f7572efb689aa85be79c2693bbe6be9805

    SHA512

    5d9dbc8c1f04343145cd893199aa1e97489563580ebd3b5d455997805ff7026c6da2ee08d0e200666e61c8cb8df86d115e59ee8989cf0c4149295fd4636d4afa

    Download Submit

  • C:\Windows\SysWOW64\hqoped.td
    Filesize

    25.0MB

    MD5

    96d8433587d50db828608309a8e6bc03

    SHA1

    178bbc14089ea63a2d0f26df45ee9b26d7681d99

    SHA256

    8f4daee3b3412892331739932a70b1fb609714d2ce341294b596e662253f0b05

    SHA512

    5836a1e2373d8caf22959281d24b4f6b30fb191883cebcfe4e4ad3ddb547dab869e4ca2d02ca7ccf3ceb0ab334809ad97bd65689f6973ed7aea2f08ac2abbfc1

    Download Submit

  • C:\Windows\SysWOW64\krjetttc.td
    Filesize

    25.1MB

    MD5

    56410f615bfff48fec3742317e491019

    SHA1

    0ba4e7077cee64c53bca5f5a7ad183b14a352330

    SHA256

    1dc0bc23781dd19226f5a3e47225df041e7cdfcc96f6feb6587b104a0a2754fd

    SHA512

    ded2358e1085f9bb0f8d34cc7c23db182902ac8449fb8c1d9f08610cda844901e90f24ff41c7e1abc2972e10cf924ad450f0545705ca55160478d3d2b19e387f

    Download Submit

  • C:\Windows\SysWOW64\systeminf.inf
    Filesize

    360B

    MD5

    fd1259897770d5fee8ea3b7d0c8d8b4a

    SHA1

    2c1a6190900034c2d962cff4ecf6cc58cd939e8f

    SHA256

    9e47956999a8516ff1c846da9f68fb9c02563497117bdc4be9a9319f7da08d2e

    SHA512

    ac3d4f3b2f6ef95779145931f2143ed46aee8a6e720d46e1678ae8c7f2e6dcac605382434a17ae845dcaea7a7d3ee6a1000274d0ff92b0ec6404f676eb3f6467

    Download Submit