Overview

overview

10

Static

static

10

JaffaCakes...e0.exe

windows7-x64

10

JaffaCakes...e0.exe

windows10-2004-x64

Analysis

  • max time kernel
    34s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 07:13

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    JaffaCakes118_4bedf89fe9c8d86ee516380a372baee0.exe

  • Size

    204KB

  • MD5

    4bedf89fe9c8d86ee516380a372baee0

  • SHA1

    695404f21d8f7f2a3a496aba73aa83ff68c2d2b8

  • SHA256

    89f12255d1435fc152cb06b01c7200c936c702da94c987deae2e49d8af467d31

  • SHA512

    036e79e30ce02ccb4d7218288dbf4a72027e432db941a1de36c39d3240f93d62962807efdcae862051e6d7bfb45b744c29859ccdf0a4325712c651de2dcc381b

  • SSDEEP

    3072:MqVYtrjsN9NhlcOweT4WWDQ8AKwirAHVd8R9ttsHXu:JKtnsN9NvcKDWEEwyyX8R9kXu

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bedf89fe9c8d86ee516380a372baee0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bedf89fe9c8d86ee516380a372baee0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:4916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
    Filesize

    204KB

    MD5

    4b440dc699555e685c29d997fd058ba3

    SHA1

    437998622196e789b39cc2a8de12cde91840cc5f

    SHA256

    350c0fd31dfb383579c8a084a98e09427b1103f0b9bb12f91cf40aafeb325fca

    SHA512

    58ad175dc772cea1ca0bf3fc9a9cd4f40460f3ad7dd02a248ebc110d58f36e9124d90e6eec7109c61f99bcdd543336488cd4e420d8d9ef5010d79938ec54cd33

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat
    Filesize

    2KB

    MD5

    4dc24da8a0f9b5d5ff4d87e89a45ec35

    SHA1

    13d496d7caec28c49cc67e8a5c83f6a7251d245a

    SHA256

    687e4da9f6ddeb9d223c84caec4267a1bd0dc3adb03d3bdee5e0d4cebce65604

    SHA512

    9a08ba9c81f31382baef6430ef1290a20a6083edce1a9f54b2d6493b2dd4487b7bf504d40393aaf7ccd0b775ed8d9b4b98141eed9e0df968c831411dd48018fc

    Download Submit