Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
03/03/2025, 23:06
General
-
Target
JaffaCakes118_49a7f89f6889c04e88873650ea6fa4d9.exe
-
Size
164KB
-
MD5
49a7f89f6889c04e88873650ea6fa4d9
-
SHA1
179cae011fd221322d33fdf756c3952ec7faa010
-
SHA256
81071028d30f187cd8dc6171aa78fb28cbd84a94be0a1e165e33a4515b4ed421
-
SHA512
4a1e26655648cc8b71be8fe367480642e309eb7b3af923c54018414b2bf6039cc682ed3e221b7f943df4dbb1653ee8d7afc710941945162c9dfc0323d769710d
-
SSDEEP
3072:kr4M1VLtIpDmLx8nvbeJXTGoxQpyTDm8PSkNLNs+TJ34t:krfLS6ObyX6StTSsSkd13
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49a7f89f6889c04e88873650ea6fa4d9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49a7f89f6889c04e88873650ea6fa4d9.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD55f6065baac5a25447390c5d6f0673552
SHA1d02b5320a38befaf83417061142defc4353b5c7d
SHA25667dd2cb567694b22115e46d7802a13cbf4d0defc2ae749938114f2e031d5f692
SHA512ded62b0615102483c518a551ded759ac14068a378f9f5e62ec8fc360b77174744778f71c43d411f0614d699490663c97a4faf5a90838f4dec08fef21b59c6610
-
Filesize
140KB
MD5fdec715799fd9a02647212846a6049bd
SHA13c72a942ab52c4f589e13d14b59f79406e78acfd
SHA2567bf5ee3780340d3a0b2cbece795d6f992f1658f600f4e2eb03adec6122003e89
SHA51219680288e215415913e6e5e5a5cae7e7c62226778ef5008723fddaed9cb75502c76b2f64b46b7be307b596e61250c32a27acc2f49c87deed189421a5aa345c5c
-
Filesize
114B
MD5b6abd691d6472fdd1770a25482d0f211
SHA1872f71f005b8b98dedeca117d36eb9e6ae397483
SHA256db70eabae3718bc4ec0c1bffdb2bce6da5d3658cc7ad96bbd8b4702120541cf2
SHA512dbdbd3d13efeb679dd054cb07562e6506910f1e6086744b0726d68a4826f6096c274b625db1b1041ae2a33de53d12e9d1dc177838efec46b8be08a847e903c4b
-
Filesize
1.0MB
MD588769600781526354049ece28b7c99c8
SHA111a340cf328c14b4b7d06de4ccb2321a6d6518f5
SHA256cab8d41cda944e86de658178ca2ad3f5e1ca39b5c1543f2569707bd302be3b9e
SHA512d3dbb0f1c56b60df6b06e9ac27765a22a4058e7ed0f831b8b86141260e604b7c7f9d2f5094d8a3fd5f6537423d168faddd5a68c3cb60531ae74e812122b81fa1
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
