Overview

overview

10

Static

static

10

JaffaCakes...e7.exe

windows7-x64

10

JaffaCakes...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4daff618415bab6a404cfc45fc2f30e7.exe

  • Size

    166KB

  • MD5

    4daff618415bab6a404cfc45fc2f30e7

  • SHA1

    50fd762cd008f66d086c832bc0683651f851797b

  • SHA256

    2472453da7a254fda3208ba151cb60ba9818ef2582ea740e2000ddce72979a6b

  • SHA512

    e9e51bc96da01be63b2b942b86f16cdfd07a08fb27a0ad0e329478dee18e920741e5db7c99435fa8b941f043b1a89ff3a57aab197f9ed0bea2f99527dfa657f7

  • SSDEEP

    3072:hQixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEWJO7Ri+FZBvby6M:hhANBxIxh0u4TSg7vECzcJ07Rp3p

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4daff618415bab6a404cfc45fc2f30e7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4daff618415bab6a404cfc45fc2f30e7.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2368
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1517000.dll
    Filesize

    133KB

    MD5

    98bad2405523fdcea0a43bcc9f105f3c

    SHA1

    291fbf6b13428e953473771667cadff1135d7308

    SHA256

    4cf3f23aca1e8e7d5a4b3437bec9fe5f28e70936641ea6324aa99f2c5208d8e2

    SHA512

    13bdee47530ffface75c2223aba4157307ce312aa77094533c65d96d9a4ee4dfab878ddbfabbd80fd059ab99612dd4fa9300b20e6332bbce866c10fdff92a055

    Download Submit

  • C:\Program Files (x86)\Fbcd\Kbcdefghi.psd
    Filesize

    3.5MB

    MD5

    0f25b3a1050059e3ac8ddbd102ea53ef

    SHA1

    af5eb56a8ae61738594421321d7f645670b8ce6b

    SHA256

    d0328f90474f6af528e9dd37c8af18deadf7e1e540339387a072b541268f8da4

    SHA512

    06d165ea8fc754f18f0db53d4ffee6d9e9203c40a2e6927da2afce1d4c98392c545fcc851fe0e60e0ba69b0d87ad6f6629e347a26a06cd6d9f987fe75f3b0325

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    263470590c38e7aacfae8b7132d3e7ab

    SHA1

    0bcdd2c7c70bbe346fa703078cdd269f1bb48016

    SHA256

    86a995f8152722fde195a05695059a9295dbd5754409afe46460649b74e30f7a

    SHA512

    9864b945756cbd35a0a7e6a3a03b118ab9b3553c8ab67fb23f02dce5ed73daed62a3bb03fd7d24095541f4080674c3064e0650caeb4f40ea8961c986d2229842

    Download Submit

  • memory/2368-10-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download