Overview

overview

10

Static

static

10

JaffaCakes...e7.exe

windows7-x64

10

JaffaCakes...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4daff618415bab6a404cfc45fc2f30e7.exe

  • Size

    166KB

  • MD5

    4daff618415bab6a404cfc45fc2f30e7

  • SHA1

    50fd762cd008f66d086c832bc0683651f851797b

  • SHA256

    2472453da7a254fda3208ba151cb60ba9818ef2582ea740e2000ddce72979a6b

  • SHA512

    e9e51bc96da01be63b2b942b86f16cdfd07a08fb27a0ad0e329478dee18e920741e5db7c99435fa8b941f043b1a89ff3a57aab197f9ed0bea2f99527dfa657f7

  • SSDEEP

    3072:hQixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEWJO7Ri+FZBvby6M:hhANBxIxh0u4TSg7vECzcJ07Rp3p

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4daff618415bab6a404cfc45fc2f30e7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4daff618415bab6a404cfc45fc2f30e7.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4744
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\732700.dll
    Filesize

    133KB

    MD5

    98bad2405523fdcea0a43bcc9f105f3c

    SHA1

    291fbf6b13428e953473771667cadff1135d7308

    SHA256

    4cf3f23aca1e8e7d5a4b3437bec9fe5f28e70936641ea6324aa99f2c5208d8e2

    SHA512

    13bdee47530ffface75c2223aba4157307ce312aa77094533c65d96d9a4ee4dfab878ddbfabbd80fd059ab99612dd4fa9300b20e6332bbce866c10fdff92a055

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    98B

    MD5

    9b7a3761bee68efef8ac6794d5428a98

    SHA1

    97acd2fb9bc97886defdf98ada373cf8cf739f6f

    SHA256

    d77b92564ba6052408e68987c9f1677e4bfc5cf103a2d2448312cf495d15e06c

    SHA512

    41f782d79ca51e9fb889c9e9edd43a9992e7808448494e9ee9da526b16c9eabe75fbf854414734780490496c3c61d852ae5aa9b7d14f101af8db1497196c4a13

    Download Submit

  • \??\c:\program files (x86)\fbcd\kbcdefghi.psd
    Filesize

    6.9MB

    MD5

    dea133bfe93b24bb1a1b43d4e30e3273

    SHA1

    b99dad1d085cd81f7b9acdc2ed460430144f14a4

    SHA256

    faec17a79327ec8b8e1bfffbb9efee955984789c9c0a6959070bda02e8166351

    SHA512

    1f9b1b949a65ac5105cdc6af9c77578f7ec8368fa6c6a336e000661898f8889714f87961da1aeed9255f1b1345743fa38d405deb112f96ea6e8bbe85adb7f9e4

    Download Submit