Overview

overview

10

Static

static

3

JaffaCakes...25.exe

windows7-x64

10

JaffaCakes...25.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_56862ecfc66c6941e12357f602424b25

  • Size

    476KB

  • Sample

    250306-qpb1esyzd1

  • MD5

    56862ecfc66c6941e12357f602424b25

  • SHA1

    c0ad1a78286d3f6e11492d0fbcf305f02f73a28f

  • SHA256

    5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f

  • SHA512

    3eda14f758cc3e7a3df5a88e9da817729b93b8955a34b6c0cd26a67b7eb750a7ba487e2305974e457b5258b4c79c1d21d863e7ca05c67718e2fdf1164cd67369

  • SSDEEP

    6144:9qOVverctVjgK6GuQq9+vAG+wLhLL/Z0axth2uL29E2xlVqc:9q2veAtaK6GuQq9lG5hLL/guLT

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_56862ecfc66c6941e12357f602424b25

    • Size

      476KB

    • MD5

      56862ecfc66c6941e12357f602424b25

    • SHA1

      c0ad1a78286d3f6e11492d0fbcf305f02f73a28f

    • SHA256

      5da4a3e61bf7cf4a2d4240bc3b1de93a61e57fc3519e13caf2474f7d12030d3f

    • SHA512

      3eda14f758cc3e7a3df5a88e9da817729b93b8955a34b6c0cd26a67b7eb750a7ba487e2305974e457b5258b4c79c1d21d863e7ca05c67718e2fdf1164cd67369

    • SSDEEP

      6144:9qOVverctVjgK6GuQq9+vAG+wLhLL/Z0axth2uL29E2xlVqc:9q2veAtaK6GuQq9lG5hLL/guLT

    Score
    10/10
    gh0stratdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks