Overview

overview

10

Static

static

10

JaffaCakes...f8.exe

windows7-x64

10

JaffaCakes...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4a6c8e1b9934ed67668456add2c7ccf8.exe

  • Size

    102KB

  • MD5

    4a6c8e1b9934ed67668456add2c7ccf8

  • SHA1

    50f7d254cc55ea1fdc2ea38854edfdee981d2447

  • SHA256

    b1c3e85a8b782d8c886ce869defec3907d85e66dd8e25353b10b7186fa28712d

  • SHA512

    60b6646a153dc3ac4aa87c9d431e13bd641a9866d5e1c1e1a8d99d579b85524c4ff92642eb270b56e3ba90f1234d8c068bd11ed0774f62b8e528b492763d0fab

  • SSDEEP

    3072:kstV5pSyGq0sJAPnhXW8iXBPOWTYiBVSV0Iu:FppSyGx40G3XhPUiBVSV0/

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a6c8e1b9934ed67668456add2c7ccf8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a6c8e1b9934ed67668456add2c7ccf8.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    PID:2632
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259411753_shit.tmp
    Filesize

    90KB

    MD5

    107bfd0392c57e6c35dce2e4144a0365

    SHA1

    1bc1b1e04f6a44d8cbba80ff6c935bfccb6dd7e1

    SHA256

    791e6d7dfcf6221f72d6977c09a36f1ff5d9822cc1319b77bc076fdce0b70da3

    SHA512

    093375e116238fb29360f66fdf662dfed570fe828fda0f4820335612e4e05934b6a03d54ccafb65c81561b216cc0c19753d93d65d7c393d17f3de066e82a83b1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\259411691_kaka.tmp
    Filesize

    90KB

    MD5

    46958d4d21c2aa97eac22de8a74506c0

    SHA1

    1210c19a25beb638690960ec14191b9f227c7492

    SHA256

    d348c314c22987888b8d9c79699e1e06c1fb5e901edaf643fe03023622ec44b7

    SHA512

    bb29f948f47a45e4e02c595be4739e2f126dec225512b06c4b752490cec8c77b862eb0dff97f5a47ac2b3efc00f97627546de759c0d9e5a08a638292febc379f

    Download Submit

  • memory/2632-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2632-10-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download