Overview

overview

10

Static

static

1

JaffaCakes...8d.exe

windows7-x64

10

JaffaCakes...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_57da45c67b2ce89876a2180cb6f1828d.exe

  • Size

    95KB

  • MD5

    57da45c67b2ce89876a2180cb6f1828d

  • SHA1

    b56eca1e18bb2e2aec2a47f238c0973bd755d001

  • SHA256

    676cfd6a513b17e1bc667e688beac7f40455b586a643c5b97355c575b857dc5d

  • SHA512

    b6e3aa31c74a5a7cb9332536fc49162f1b2ae78c24c664ea6b0fa2448226ef7b97ec93ad02860d6d10f6bdce18faef9aef24392deccdc75d6deb639084ee9b96

  • SSDEEP

    1536:IHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8praiuXvd:IxS4jHS8q/3nTzePCwNUh4E9aiYvd

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57da45c67b2ce89876a2180cb6f1828d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57da45c67b2ce89876a2180cb6f1828d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2144
    • \??\c:\users\admin\appdata\local\cbqrhxirwj
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57da45c67b2ce89876a2180cb6f1828d.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_57da45c67b2ce89876a2180cb6f1828d.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1100
      2⤵
      • Program crash
      PID:1820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 896 -ip 896
    1⤵
      PID:1068
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1112
        2⤵
        • Program crash
        PID:2520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2196 -ip 2196
      1⤵
        PID:3000
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4160
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1100
          2⤵
          • Program crash
          PID:1296
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4160 -ip 4160
        1⤵
          PID:1932

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Storm\update\%SESSIONNAME%\upjcl.cc3
          Filesize

          22.0MB

          MD5

          20c51f6a61fbe1af7a7f3c16729a48f2

          SHA1

          a651a9bbbf505f07153ee9d1131cbe34146c7703

          SHA256

          11267622e3c628c2bd7d20e17f9ca279b91618c31175ac283c74a8d6c1845d8c

          SHA512

          4a4bf904d0c3a0c1d1c8e1a0f1889b4a88b0efe6d80593eda8b24b183b234cd5d2396495efe0a070dcf87d1b7543ab2fa0f2b365fe576747ae0c0369737ba63c

          Download Submit

        • C:\Users\Admin\AppData\Local\cbqrhxirwj
          Filesize

          24.8MB

          MD5

          0924b608aa02de758c0db04a36965c98

          SHA1

          001023cc30b890a649ab1e87eced3fe52cacca38

          SHA256

          8d048b9ae57c6cfb06d543836820134d00793e974269d07db39e47746bea4e1c

          SHA512

          95bf7145b934306d1f8f763973e26e71b2bde6b57487b3ca91b837b31868c8ab2b10955d813fd52c4d52b158fe9a138bf4ad203d3327d105fc2931c62fb3fe22

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          202B

          MD5

          9acf8a33ef4d3f90c51a1334b5292835

          SHA1

          3c3ab2e6f96e24d9d328e4d079e148d1dd6c48e7

          SHA256

          4e7882ba3715afa441eab06d37a5258a9af6a5e78f5db59336cf602aba75a62f

          SHA512

          46432398b53076efd2bb05c6c1ebe0eaab1d3b922c67de6089dbb1942d3a3643dafac6a6251c77ac413e14182b8f7e40838317966d74c0fabc50dd5de1fbc74a

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          303B

          MD5

          f274f0a12f2e54adcf2764be9b83aa6c

          SHA1

          7dd7334e8cceafb3ea764bb4b85b71734bbecbbc

          SHA256

          2838b086c2c49cca16775135b9fa5f598b4e34c734c2a834a7f683cc5096b831

          SHA512

          cfe4d53976dd2612c3802650b6f61cfa333b38a6f708ef51d01eb85a9bc92e89e011c2a0aae54a19e75028e228e6b46ef2cda63b7093e8774539549e0f7da247

          Download Submit

        • memory/896-20-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/896-18-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/956-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/956-17-0x0000000000400000-0x000000000044E308-memory.dmp

          Filesize

          312KB

          Download

        • memory/956-10-0x0000000000400000-0x000000000044E308-memory.dmp

          Filesize

          312KB

          Download

        • memory/2144-9-0x0000000000400000-0x000000000044E308-memory.dmp

          Filesize

          312KB

          Download

        • memory/2144-0-0x0000000000400000-0x000000000044E308-memory.dmp

          Filesize

          312KB

          Download

        • memory/2144-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2196-22-0x00000000020A0000-0x00000000020A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2196-25-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/4160-27-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4160-30-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download