Overview

overview

10

Static

static

3

JaffaCakes...fc.exe

windows7-x64

10

JaffaCakes...fc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_50b725a477fd0229c6c8c3bc2a2f0ffc.exe

  • Size

    235KB

  • MD5

    50b725a477fd0229c6c8c3bc2a2f0ffc

  • SHA1

    0ebb1f1f925103b71c53b9d54bbc81c47ea68e30

  • SHA256

    7c6ab5ad391be8a97d9ee5dcb4e72bf321fe7adfdbdd2af5bcd4cd60d3dc2295

  • SHA512

    194718bebf04ce6be9febf02cefc052d0cd71cc98d230a377178bad250bdbe0b739428fc7fab77c2e7f3d4df4c8ce11b680ae2462e0a59c426419b06915d8c4d

  • SSDEEP

    6144:bl4yvofzaSqxx5jBrOp81N4n1AmMZhs6VgwC6:buzazfdxq17Khs646

Score
10/10
gh0stratbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50b725a477fd0229c6c8c3bc2a2f0ffc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50b725a477fd0229c6c8c3bc2a2f0ffc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\ki18FF0.tmp
        C:\Users\Admin\AppData\Local\Temp\ki18FF0.tmp
        3⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ins951F.tmp.msi" /quiet
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Local\Temp\inl97FD.tmp
        C:\Users\Admin\AppData\Local\Temp\inl97FD.tmp cdf1912.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl97FD.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2968
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2880
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EF1CE5481895F59A38EB6A73C52D7A1
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
    Filesize

    768B

    MD5

    d20d9eda31a2d0300e4589df7f352370

    SHA1

    79b46d2dbb489914cfedafdbc90e62951471b48e

    SHA256

    d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

    SHA512

    d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    57B

    MD5

    35a19de817a69ede46fa6bb5b75a5360

    SHA1

    e93b927345be489e471a2ca88b08ec1e18087b17

    SHA256

    8c6aab41c846605da42db437fe758e7bcf584343493f2a0c2dc75169c441468b

    SHA512

    488b004f0fb7e11c1908501264e21ad446df9e54d89a474cfbeb9db009a83b12845d7a87db625570220ccb56d0a3388f7740fdb8ec9ee8691387cfb5c196f141

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat
    Filesize

    45B

    MD5

    f50df4fc34ace3a63714573868978727

    SHA1

    d7cca4eaa8bef94625c995426cec5ab253de35f9

    SHA256

    eb047564c8d8f1bfaa36a9a7f7b03027d9c490ddd1c635cd53deaa98af07f866

    SHA512

    fec355b5abc75e65de6b94a0edc0b00955e69fad9e853476b7c4cb54716e9dca81fa2c9362ff3441ea071037f9a22863241d2cb6f807d3d513bc34aca5deea52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
    Filesize

    98B

    MD5

    8663de6fce9208b795dc913d1a6a3f5b

    SHA1

    882193f208cf012eaf22eeaa4fef3b67e7c67c15

    SHA256

    2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

    SHA512

    9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

    Download Submit

  • C:\Windows\Installer\MSIA2F3.tmp
    Filesize

    48KB

    MD5

    9067aad412defc0d2888479609041392

    SHA1

    36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

    SHA256

    99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

    SHA512

    e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
    Filesize

    425B

    MD5

    da68bc3b7c3525670a04366bc55629f5

    SHA1

    15fda47ecfead7db8f7aee6ca7570138ba7f1b71

    SHA256

    73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

    SHA512

    6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

    Download Submit

  • \??\c:\windows\SysWOW64\6ovudn.dll
    Filesize

    48.1MB

    MD5

    9c942b3c3d0e26012b3667169f8428ca

    SHA1

    77705073ad89eb76faba58a66bcf01b96163a0f5

    SHA256

    9dddeef00354e7a8204a2755556bc1d63987d5b8ccdf6c873ed5a90377e26cb3

    SHA512

    3a64c8084a16d7e16a163ad58d5fcc26188e8bc63a39409573971028966ab4eae55623f39a2fab8a31a1656f4be6642bd5d7a626d52b9e46c3d9dbbad4c944f7

    Download Submit

  • memory/2264-17-0x0000000023560000-0x0000000023596000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2276-91-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2460-2-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2460-49-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2460-8-0x0000000000740000-0x0000000000750000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2460-1-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2880-56-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2880-57-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2880-94-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2992-20-0x0000000023560000-0x0000000023595BE0-memory.dmp

    Filesize

    214KB

    Download

  • memory/2992-53-0x0000000023560000-0x0000000023595BE0-memory.dmp

    Filesize

    214KB

    Download