Overview

overview

10

Static

static

3

JaffaCakes...e7.exe

windows7-x64

10

JaffaCakes...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_57fe5ae6076ec4bbc7b63b71883379e7.exe

  • Size

    95KB

  • MD5

    57fe5ae6076ec4bbc7b63b71883379e7

  • SHA1

    37a6a6c2cd7298cef43f02451f5f060980331902

  • SHA256

    a48fa0a1b5199f13b6b2d9c2bf11f305f65813d2b041153d65d0d9686ba140ca

  • SHA512

    d5c257cc4ad8b50847945c5a41d4f7f70124435d9515cbbfc08acf0465b9d276efc477704334e46faa4c132b1333a39d3538e8863d68fca6d93b564c699bf99c

  • SSDEEP

    1536:GNFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prgq5Aubkv:GzS4jHS8q/3nTzePCwNUh4E9z52v

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57fe5ae6076ec4bbc7b63b71883379e7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57fe5ae6076ec4bbc7b63b71883379e7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4996
    • \??\c:\users\admin\appdata\local\gurmkthdrx
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57fe5ae6076ec4bbc7b63b71883379e7.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_57fe5ae6076ec4bbc7b63b71883379e7.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1076
      2⤵
      • Program crash
      PID:776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1500 -ip 1500
    1⤵
      PID:1556
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1100
        2⤵
        • Program crash
        PID:5076
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2448 -ip 2448
      1⤵
        PID:1632
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 936
          2⤵
          • Program crash
          PID:2768
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 392 -ip 392
        1⤵
          PID:4044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\gurmkthdrx
          Filesize

          24.7MB

          MD5

          19239819b7098cf5f1ae8be6de50a796

          SHA1

          8ba985f1f804a8ac130cf8524251200645bd597f

          SHA256

          2942fa6efabca9ebb194ba10403d6cd6eddf1de2d91fa7c2a59c307e002185d4

          SHA512

          4298bcc18a728dbe2257b75fd362d21c9f0d52ebf75332bc8d2ad9e105dbb162eae8f0d8ca3e47769bb19bc11010bd7303a881db9fc24c6d88720930cd922afe

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          200B

          MD5

          19999a369843fd36eb29e645462ff834

          SHA1

          6ddc3babf129e62f499afd0b7aade5a7b51660c1

          SHA256

          c6361ddd8eb1a22d04d66644e8ced56de35782dd82c8dafad2da3d0cfd8af74b

          SHA512

          83d964ac2ffae6a78c08e372d6f4d0cc1e5a4a3b6a7ea409a036a53fb7ba2ee4fadafa2588fd9dccea117d18d8c54234334c379cdacafea18bf1c1c16efb3a65

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          300B

          MD5

          6b56cef54829df2b506850635f57de16

          SHA1

          dc5edbae68c31222ba1327129d0b2bf73ef4f0bd

          SHA256

          e2472fa074621efbf51f97ee25bdc5d34ee073ad71f81fe79c9902c980e8f1c4

          SHA512

          d9c373458cabca5231bd974d9888015050534156a61755f801bae16c8fb1d0c0f9c5aef9aef374e6d09551e65aa3cce156feb87399a8fbcd9381ca8e8ec3475f

          Download Submit

        • \??\c:\programdata\application data\storm\update\%sessionname%\xxkvt.cc3
          Filesize

          23.0MB

          MD5

          8b500de7bd2706797696107076b625c1

          SHA1

          be31dff55735a1c03a9fabfa09980e75c6ed74cc

          SHA256

          dd6e4dba22c81fe3b973d91ca3745187fc7e555404c96b8ab8cd9ee67eb07d81

          SHA512

          0c3443435587e5a1e21ee621455877dcad561ebb290e188b0f6841451a753cc0336cd2fd078f3fbd6914a857ef9af0c0e235495eadd500283cfb594bf307aa52

          Download Submit

        • memory/392-30-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/392-27-0x0000000001E80000-0x0000000001E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1500-18-0x0000000001900000-0x0000000001901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1500-20-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2448-25-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2448-22-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3168-17-0x0000000000400000-0x000000000044E1F0-memory.dmp

          Filesize

          312KB

          Download

        • memory/3168-9-0x0000000000400000-0x000000000044E1F0-memory.dmp

          Filesize

          312KB

          Download

        • memory/3168-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4996-0-0x0000000000400000-0x000000000044E1F0-memory.dmp

          Filesize

          312KB

          Download

        • memory/4996-12-0x0000000000400000-0x000000000044E1F0-memory.dmp

          Filesize

          312KB

          Download

        • memory/4996-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download