Overview

overview

10

Static

static

3

JaffaCakes...7a.exe

windows7-x64

10

JaffaCakes...7a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe

  • Size

    150KB

  • MD5

    55d751c908745c2f4334526d1d09967a

  • SHA1

    d0ffbf4e40c650b894bed73537440e25535ea1b5

  • SHA256

    be39b755d4d86b50db73b11f8408701e8dfe3b8de1fe652d153803515569a334

  • SHA512

    1720482c2dd4b0e9d45ce2b2708fee0327dd153e45e3f53106993f95c5b59ab6aa4a10ea4a0f685234253f1cd049fdc6d2adbd1021ebd7b232a505564513f935

  • SSDEEP

    3072:tlxAxiiAYXRJ1cbuR3m8KoNVzbqQ+yaKf4baDJws3wDC:tePXD1zQuNV1+yiC

Score
10/10
gh0stratdefense_evasiondiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55d751c908745c2f4334526d1d09967a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Roaming\B8E3.tmp
      C:\Users\Admin\AppData\Roaming\B8E3.tmp
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1992
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSD49~1.INI /quiet
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\inlD7F9.tmp
        C:\Users\Admin\AppData\Local\Temp\inlD7F9.tmp cdf1912.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD7F9.tmp > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2572
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E9D74D3847FCCE03297615DBD615A1AD
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76d869.rbs
    Filesize

    7KB

    MD5

    a0e7dc1fef695c31af2e1def705f9b1a

    SHA1

    e13d0f5a519e126cab95111169f917a40cbde944

    SHA256

    f77fde44a46e94eba17a5fff0ee60ff98a223e5e754cdd9b13393a2899d3135f

    SHA512

    839d032711d45c96ed9a1c34b21f00c5b224a407f0e282f63ac9acdcfc57f47507a70f6890f497d125a5628753ab694772e5763f60ab25048e8e361bddf6985f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\INSD49~1.INI
    Filesize

    66KB

    MD5

    46c5f8bf0a527e30b3e6d2bd6db64b1a

    SHA1

    77609f02cc73d35218268fc55d5e58fb0195f12d

    SHA256

    6dcec8da0d108d21087b05dbccc117e57955ad2c2677510c3a3242745dcc504f

    SHA512

    dcff946d77312b7f15e9265d419008af3ffb82f09b40929ce589ba29d12b1d0e9cb8e2e03dbda90efe4c9b80487714e931a247db040257333aed66a3b7dab05f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
    Filesize

    768B

    MD5

    d20d9eda31a2d0300e4589df7f352370

    SHA1

    79b46d2dbb489914cfedafdbc90e62951471b48e

    SHA256

    d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

    SHA512

    d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
    Filesize

    57B

    MD5

    d970f01c54a8b73c127636be9d75d4f5

    SHA1

    44a9eda0f6054c959b543747e34ba99edc76ad06

    SHA256

    50e201e34dc7b901c1ce8c620518d9e1021ba22210cb682d11fe7eaf86fb6b75

    SHA512

    e9981b9faeccc361e140ed0ca7bdfe1862f100080535cc623c0dfd9ec7bf5c22dad412953ea4513e8642a7962659088e7ca98f8b8b9ae504b2dc0921126a4cb0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
    Filesize

    98B

    MD5

    8663de6fce9208b795dc913d1a6a3f5b

    SHA1

    882193f208cf012eaf22eeaa4fef3b67e7c67c15

    SHA256

    2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

    SHA512

    9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
    Filesize

    425B

    MD5

    da68bc3b7c3525670a04366bc55629f5

    SHA1

    15fda47ecfead7db8f7aee6ca7570138ba7f1b71

    SHA256

    73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

    SHA512

    6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

    Download Submit

  • memory/836-90-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1992-12-0x00000000001F0000-0x00000000001F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1992-16-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2112-19-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2112-17-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2112-53-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2112-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2112-8-0x0000000000440000-0x0000000000470000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2112-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download