Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
06/03/2025, 13:52
General
-
Target
JaffaCakes118_569950bac39e02139f59232e4342bd72.exe
-
Size
338KB
-
MD5
569950bac39e02139f59232e4342bd72
-
SHA1
5fe8348ba8e33832c1d32c440ce6bcd5ca2d81a3
-
SHA256
2eaffee2df904fe4f9e8275adba88b6b9c79833cd1c56f2efd730e49994ea3c1
-
SHA512
2ab32d6807279921fd2c3f73d3dd7ed92fd1bdb1823c89e8065c7934b224e613daf7f82f39f457708c7f7ce7dd905f0166c16dfb61ca7d5d009ad857af3a0483
-
SSDEEP
6144:kDOKu03Vjuy4nDWgRAkPf2GQn8xID0DMFChkYkYZeTx1xirVOK/Apf8bZ9oWOQ:8ju0FKvR3Pf2GLxe0Dv7jZw1ucEN9oZQ
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_569950bac39e02139f59232e4342bd72.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_569950bac39e02139f59232e4342bd72.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\insezthji.exeC:\Windows\system32\insezthji.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\userinit.exeuserinit.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5a8279606ab507648d49c750df7ce270a
SHA1505384b8dc287dbca20ba6d9db506bddbc0b3923
SHA2565d7393bbe0f66c089371c40a7fcc554a4bd130838db35825659df703eef8400d
SHA5125261c109df80b0f3198ecb7d60e9fe18a8b58762266cb80a442c8f00176a12fa1a414d711913ed12d6b12fb1782e79711353e611bf173426decc2c4eb0bb7855
-
Filesize
338KB
MD5f5e0862bddc357383c5a6907b4e048cd
SHA19e7459b8e5df5d23361bcac07d162972acf99d9c
SHA256adc6129112b429c02f50aec4dd5787781adf5ce91b3b39212891f783790dc3cf
SHA51290aeca9251f183e455c4ac240571b72f37e66c0721b49785d1185196aaeb0794084012c7cb515cdb7dc46edc89f3a8f98d42325d96b5337e5810ce76cdb3a00a
-
Filesize
536KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
256KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB