Overview

overview

10

Static

static

1

JaffaCakes...38.exe

windows7-x64

10

JaffaCakes...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2025, 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5b740c8a44fc00d67b88a9685fa7f038.exe

  • Size

    96KB

  • MD5

    5b740c8a44fc00d67b88a9685fa7f038

  • SHA1

    c7111cb7dc916d0497d5f3ca40685cc4bd26f9be

  • SHA256

    1c221f9ecc204c8afd01456e0aec5db1229eb90f77f69e72d461187b430cec26

  • SHA512

    da029a40d1d81f8917cba906b098aad25a92b4d418667da2ea919deb8a5508c618ae0b730f45cd7569fc543a92c0a9100e141c8bebc77cf59f901c6dbde8c2b6

  • SSDEEP

    1536:OmFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9cgdO1Gp3v:OsS4jHS8q/3nTzePCwNUh4E9Ukp/

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b740c8a44fc00d67b88a9685fa7f038.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b740c8a44fc00d67b88a9685fa7f038.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4356
    • \??\c:\users\admin\appdata\local\mllgpqwmri
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b740c8a44fc00d67b88a9685fa7f038.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_5b740c8a44fc00d67b88a9685fa7f038.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 1052
      2⤵
      • Program crash
      PID:868
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3428 -ip 3428
    1⤵
      PID:1924
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 780
        2⤵
        • Program crash
        PID:4152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2484 -ip 2484
      1⤵
        PID:4384
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1092
          2⤵
          • Program crash
          PID:4084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3896 -ip 3896
        1⤵
          PID:2872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          200B

          MD5

          aa3012dfb35b8c0bfa5b2c04f424bb13

          SHA1

          b8e3c39cbb67d53c102187b894a8a5e1eb539385

          SHA256

          b0ffe4d4923db7335e6e62ca7c0a3ee6d93b1d0851bb0d5536689e6e9d19cf0d

          SHA512

          c9739d6d78cafaf616bc34b22774fc7db3c2cfd443db650d49bdc40856e2b0e4d99d1040681ff33bf22f4258327f3039f0326857c93278e47e45322618af2471

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          300B

          MD5

          edd83a0991afe3b581a46ca721f8cc0e

          SHA1

          8c89c36f79b6e4ce3a9306d84a9e0c126394da49

          SHA256

          d0812d9955824281bfb5eeea2187f1168d390cbebcb7de27e7f0f0869f8a82d5

          SHA512

          a87c204735a377e51cca7a7e7170cd06065b81a076672af301752e9d9fc4a2f0541677b6e80ccbab94abca6ae502b157a579e11705d4c344633f534cbd5c4b48

          Download Submit

        • \??\c:\programdata\application data\storm\update\%sessionname%\mtgst.cc3
          Filesize

          23.0MB

          MD5

          a443ca06e9f31cfaec70c4cdd4f7f9e2

          SHA1

          b978c40b78e28164cc0f95c6c7a02e8f9e155ed1

          SHA256

          84f858b019e8684ff6dcebbae2819467f71334d7b1b27fcc2330da1337403b9d

          SHA512

          2607cd86f55c65897d28aa8802735fa2645dfa7eb13aacdd235d72037f970c12a5708f6034254956e5834342afa47823450afae8d321b5cd472f0f3e9a23bba6

          Download Submit

        • \??\c:\users\admin\appdata\local\mllgpqwmri
          Filesize

          19.9MB

          MD5

          4b08b0245fde26a5eb18704183cc0a6a

          SHA1

          1fc49c5d9e83d54d5f0b9dfba7c46cda899af332

          SHA256

          17f4ca1964ba1d43895b9ff85f6373a9f8a91822e81da1c6ca680a7715e66ba8

          SHA512

          81cf0340031b5cef30b9670b93bc18256b40094c6e98e5093190c561915198c2dc76ba20d50459ecfa66cb6041f77fbf2078a6b4453b701477f38e7265adc093

          Download Submit

        • memory/1868-16-0x0000000000400000-0x000000000044E2C0-memory.dmp

          Filesize

          312KB

          Download

        • memory/1868-11-0x0000000000400000-0x000000000044E2C0-memory.dmp

          Filesize

          312KB

          Download

        • memory/2484-21-0x0000000002090000-0x0000000002091000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2484-24-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3428-17-0x00000000011F0000-0x00000000011F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-19-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3896-26-0x00000000013F0000-0x00000000013F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3896-29-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/4356-0-0x0000000000400000-0x000000000044E2C0-memory.dmp

          Filesize

          312KB

          Download

        • memory/4356-8-0x0000000000400000-0x000000000044E2C0-memory.dmp

          Filesize

          312KB

          Download

        • memory/4356-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download