Overview

overview

10

Static

static

10

JaffaCakes...d9.exe

windows7-x64

10

JaffaCakes...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_49a7f89f6889c04e88873650ea6fa4d9.exe

  • Size

    164KB

  • MD5

    49a7f89f6889c04e88873650ea6fa4d9

  • SHA1

    179cae011fd221322d33fdf756c3952ec7faa010

  • SHA256

    81071028d30f187cd8dc6171aa78fb28cbd84a94be0a1e165e33a4515b4ed421

  • SHA512

    4a1e26655648cc8b71be8fe367480642e309eb7b3af923c54018414b2bf6039cc682ed3e221b7f943df4dbb1653ee8d7afc710941945162c9dfc0323d769710d

  • SSDEEP

    3072:kr4M1VLtIpDmLx8nvbeJXTGoxQpyTDm8PSkNLNs+TJ34t:krfLS6ObyX6StTSsSkd13

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49a7f89f6889c04e88873650ea6fa4d9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49a7f89f6889c04e88873650ea6fa4d9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3076
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Prefetch457100.dll
    Filesize

    140KB

    MD5

    fdec715799fd9a02647212846a6049bd

    SHA1

    3c72a942ab52c4f589e13d14b59f79406e78acfd

    SHA256

    7bf5ee3780340d3a0b2cbece795d6f992f1658f600f4e2eb03adec6122003e89

    SHA512

    19680288e215415913e6e5e5a5cae7e7c62226778ef5008723fddaed9cb75502c76b2f64b46b7be307b596e61250c32a27acc2f49c87deed189421a5aa345c5c

    Download Submit

  • \??\c:\Program Files\NT_Path.gif
    Filesize

    114B

    MD5

    81d4ce0ede6928e5a73da3772623394e

    SHA1

    9fc1dfb054f256d082163d5729d77c28779f881f

    SHA256

    d076fc0a82065a07967b658a198b279701582520114f87681542058e23f44194

    SHA512

    69ab3b5dd18769a9143eff0e76c703a892e3a3f0271adc9053ce76e73f3bebccd64a2e871e2ce1d504d4c507ab87dd5773f14fa2c34cf006b9ce8351181fa48b

    Download Submit

  • \??\c:\program files (x86)\mssql.jpg
    Filesize

    11.8MB

    MD5

    fbc15aae8f097b0d6f25c9c75e50c610

    SHA1

    a20bb9c274ca889df486d93b37cd763ea28c693a

    SHA256

    ada989991532b13182ae463267b8704c437e56564366bc0f20344c7088353eb8

    SHA512

    9d816915c8e3bb1fd9b0144e7f1fa77009170390a75d067cd4e9f07f6440580f6715692a66bbb14ab526751ef938e94c41d317fbf449127910083a946fe2b4e6

    Download Submit

  • memory/3196-3-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3196-13-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4600-15-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4600-18-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download