Overview

overview

10

Static

static

3

JaffaCakes...20.exe

windows7-x64

10

JaffaCakes...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20

  • Size

    196KB

  • Sample

    250304-l78d5ayms2

  • MD5

    4cb85dc70ca46ce70499d1a8142f0f20

  • SHA1

    79665c3a585de51d9b9853f902b11d0f2a3efa45

  • SHA256

    6047cc605e0dfbee45f75d3aa49fc2f901cf1e3be1c356d02c416e9fa8ed1278

  • SHA512

    7f92d77ad9261e40ac0885f8d0719dbe25b2ce8b51976e126b7695d590d9630403f542176b7eba4c876e7188ebcdbaf10bd89da7ba0119c8030ed8eee30f1619

  • SSDEEP

    3072:Vgmn0avOvtYz4nqSioDXx4uE9w2qbMUeZPgrQ/O/46x4M15m:+w0avOvtYSiod4uYzqAvZd/246Hvm

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_4cb85dc70ca46ce70499d1a8142f0f20

    • Size

      196KB

    • MD5

      4cb85dc70ca46ce70499d1a8142f0f20

    • SHA1

      79665c3a585de51d9b9853f902b11d0f2a3efa45

    • SHA256

      6047cc605e0dfbee45f75d3aa49fc2f901cf1e3be1c356d02c416e9fa8ed1278

    • SHA512

      7f92d77ad9261e40ac0885f8d0719dbe25b2ce8b51976e126b7695d590d9630403f542176b7eba4c876e7188ebcdbaf10bd89da7ba0119c8030ed8eee30f1619

    • SSDEEP

      3072:Vgmn0avOvtYz4nqSioDXx4uE9w2qbMUeZPgrQ/O/46x4M15m:+w0avOvtYSiod4uYzqAvZd/246Hvm

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks