Overview

overview

10

Static

static

3

JaffaCakes...28.exe

windows7-x64

10

JaffaCakes...28.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_42a9dd4b578bcecfbfa18fe4693c6928

  • Size

    192KB

  • Sample

    250302-z36lmavrt9

  • MD5

    42a9dd4b578bcecfbfa18fe4693c6928

  • SHA1

    fe3f1af60efdaaa3f364634e834ee0f01f7f4313

  • SHA256

    26e04dd833080b82ca51e3700cc3ea2ea7b615839b761d1dd7c9a42de92ca2f5

  • SHA512

    1e26d41970004360a8617557e2913edc1a8d4687291bb264d98459ce9a3488f392fb12e2252d22103e83f1fa0b47519e4856e47ae63ade435343157cb99588aa

  • SSDEEP

    3072:dRZaVXVpjWP+QE+GQgVSzCI9X2TxfTVTa519TM5tGHBKyrBXsHNHBZC:VaVXVpjp+6SzC0GTlpapTmkKydcHNHBZ

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_42a9dd4b578bcecfbfa18fe4693c6928

    • Size

      192KB

    • MD5

      42a9dd4b578bcecfbfa18fe4693c6928

    • SHA1

      fe3f1af60efdaaa3f364634e834ee0f01f7f4313

    • SHA256

      26e04dd833080b82ca51e3700cc3ea2ea7b615839b761d1dd7c9a42de92ca2f5

    • SHA512

      1e26d41970004360a8617557e2913edc1a8d4687291bb264d98459ce9a3488f392fb12e2252d22103e83f1fa0b47519e4856e47ae63ade435343157cb99588aa

    • SSDEEP

      3072:dRZaVXVpjWP+QE+GQgVSzCI9X2TxfTVTa519TM5tGHBKyrBXsHNHBZC:VaVXVpjp+6SzC0GTlpapTmkKydcHNHBZ

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Deletes itself

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks