Overview

overview

10

Static

static

3

JaffaCakes...0e.exe

windows7-x64

10

JaffaCakes...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_57cd8022ba25ee229e954ff879a85b0e.exe

  • Size

    89KB

  • MD5

    57cd8022ba25ee229e954ff879a85b0e

  • SHA1

    3a1e1183457cefbe6a9d8067d7213c939b79aa5c

  • SHA256

    4d827b4a120d42bbf83cd0a50e410dc4ab5a3eb77c70ef6a3942506f4c7b96b4

  • SHA512

    e9a1a1c3461258a12d888f4079c046fe7ba606e1fba5e806ccda98366bc3260f7e5390fb089494b06eed8302eda3feb7205afaad3b3c2ab8554c8c8c97e552ab

  • SSDEEP

    1536:RUi+PinPOLRApoqNsHtTZtQrZq6phxTVoDcgIzl7MQpGtKNx3sXzwQaDl99:/nmL2pUHxZtUZvRTCDcL7MQpCYplV

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57cd8022ba25ee229e954ff879a85b0e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57cd8022ba25ee229e954ff879a85b0e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\ope9000.exe
      "C:\Users\Admin\AppData\Local\Temp\ope9000.exe"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1984
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2104
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ope905E.jpg
    Filesize

    1KB

    MD5

    19ab457b4966663bda846528fa77f994

    SHA1

    ee969616c6dbc9ae7d2bdfa3e86e8f81662d83e6

    SHA256

    5a52b41d327d0f8e1d0dfd629650f190385b01fff26759699c26bf586dee410e

    SHA512

    a3074b0005edccbb6d50e664f1a5fdba2008f82e926ee29449acf91de97c122c6dbae24a3277d153ab7874bf4f1096a235cb0e7cc1b633e22052ea0eb5d11e5f

    Download Submit

  • \??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll
    Filesize

    148KB

    MD5

    f9dc6833cd375c9f7f99b0785ba15a71

    SHA1

    497cbb8be2c496f4aa613efae129d14a421892a6

    SHA256

    f187913edecaffa00d865ea2938b5613bed9768543ebdbde4672050e9c12bd2a

    SHA512

    f29febe495688863c9305a0499b53bf12501a6f074549414c8b21c6a9a44185e14f21bb3cc0ca1f14a99c6efdc4c48eab8a6ab54c89c2defb9d5e3a553171f77

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ope9000.exe
    Filesize

    184KB

    MD5

    66210006930bc0fe2e8c5b11ea84857c

    SHA1

    52298071235b68103ce8d06e8925992653b7cbe9

    SHA256

    939642db03fb0e0ba34e2f43c65b64d714ba922a98f8950e063ef9f810603dfc

    SHA512

    a672887d26472e1db3f16ea31a10c0d519b15ab62469663ab9134733b75a078d209d270123dd17d1a177d221cd0fae6c364311b27d30f5e6545352d96ba296e6

    Download Submit

  • memory/2040-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2040-12-0x0000000002920000-0x0000000002922000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-14-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2104-13-0x0000000000220000-0x0000000000222000-memory.dmp

    Filesize

    8KB

    Download