Overview

overview

10

Static

static

1

JaffaCakes...38.exe

windows7-x64

10

JaffaCakes...38.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_5b740c8a44fc00d67b88a9685fa7f038

  • Size

    96KB

  • Sample

    250309-1rjhdssnx7

  • MD5

    5b740c8a44fc00d67b88a9685fa7f038

  • SHA1

    c7111cb7dc916d0497d5f3ca40685cc4bd26f9be

  • SHA256

    1c221f9ecc204c8afd01456e0aec5db1229eb90f77f69e72d461187b430cec26

  • SHA512

    da029a40d1d81f8917cba906b098aad25a92b4d418667da2ea919deb8a5508c618ae0b730f45cd7569fc543a92c0a9100e141c8bebc77cf59f901c6dbde8c2b6

  • SSDEEP

    1536:OmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9cgdO1Gp3v:OsS4jHS8q/3nTzePCwNUh4E9Ukp/

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_5b740c8a44fc00d67b88a9685fa7f038

    • Size

      96KB

    • MD5

      5b740c8a44fc00d67b88a9685fa7f038

    • SHA1

      c7111cb7dc916d0497d5f3ca40685cc4bd26f9be

    • SHA256

      1c221f9ecc204c8afd01456e0aec5db1229eb90f77f69e72d461187b430cec26

    • SHA512

      da029a40d1d81f8917cba906b098aad25a92b4d418667da2ea919deb8a5508c618ae0b730f45cd7569fc543a92c0a9100e141c8bebc77cf59f901c6dbde8c2b6

    • SSDEEP

      1536:OmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9cgdO1Gp3v:OsS4jHS8q/3nTzePCwNUh4E9Ukp/

    Score
    10/10
    gh0stratbootkitdiscoverypersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Gh0strat family

      gh0strat

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks