Overview

overview

10

Static

static

3

JaffaCakes...28.exe

windows7-x64

10

JaffaCakes...28.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_59e86357ca3622c3e24a92a6e764c128.exe

  • Size

    344KB

  • MD5

    59e86357ca3622c3e24a92a6e764c128

  • SHA1

    f113451dc8ce1d69109f3b6d72f09b1bbe273268

  • SHA256

    541804add529cc2edd15a027e1f3370ce78d9c13d8fa4b15bdc19b8be1f5ff0b

  • SHA512

    92cd4cf7190616939fec99ba9e2f9bc8951a2b5bc3c249752bda407230e3e7feed9493b8200807ec86f0f9926ee436bd0e48559848ab951d340e9e31989a1969

  • SSDEEP

    6144:nINgekrKFVH0pwpM9NBiBd3wxQKwaaQMoTUK:nINgekrKFVH0pp9KdAxQKwBS

Score
10/10
gh0stratbootkitdefense_evasiondiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e86357ca3622c3e24a92a6e764c128.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e86357ca3622c3e24a92a6e764c128.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Program Files\Common Files\qiuqi0.exe
      "C:\Program Files\Common Files\qiuqi0.exe" "C:\Program Files\Common Files\maoma0.dll" ServiceMain
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:320
    • C:\Documents and Settings\qiuqi0.exe
      "C:\Documents and Settings\qiuqi0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\DOCUME~1\qiuqi0.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\maoma0.dll
    Filesize

    24.1MB

    MD5

    224b088ba30175ed62136a80c9152e2c

    SHA1

    81738c463d0c2ee0d3fe5274207954e278b34b11

    SHA256

    0ccf15e9709000365319ac99a626bd4a3f853950c7865fa1c9120f32eca0280d

    SHA512

    3e2f6f07972d6b76bc2505042a4081805b030e57e98f9dcfd3937f6380d09b744aed13cecb3ab23ef0c0df73103d8dccd5ab2734c68399d335c14a298b03e98e

    Download Submit

  • \Program Files\Common Files\qiuqi0.exe
    Filesize

    43KB

    MD5

    51138beea3e2c21ec44d0932c71762a8

    SHA1

    8939cf35447b22dd2c6e6f443446acc1bf986d58

    SHA256

    5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

    SHA512

    794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    Download Submit

  • \Users\qiuqi0.exe
    Filesize

    24.0MB

    MD5

    bbd9f2d3f975bbf73dff248cedf0e396

    SHA1

    6be6196f3af3a9be403a4849aa4acadad2db17cc

    SHA256

    2f20c777e1f186420e9475aac8c0890f2d3d62ae982d04a37045c83a044fe1e4

    SHA512

    cae2ae54976686199c3c3aabac4999507cbc21ffd76a2407fc1ab2e4f513dd610b06df4b6b7b8478cf4e485a9ff14df5904225b28fcb5959f9e6c7fbd2a2e479

    Download Submit

  • memory/320-26-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/320-27-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/320-47-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/320-24-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/324-3-0x00000000002A0000-0x00000000002DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/324-29-0x00000000002A0000-0x00000000002DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/324-2-0x00000000002A0000-0x00000000002DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/324-0-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/324-7-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/324-8-0x0000000000300000-0x0000000000302000-memory.dmp

    Filesize

    8KB

    Download

  • memory/324-28-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/324-4-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/324-1-0x0000000000240000-0x00000000002B9000-memory.dmp

    Filesize

    484KB

    Download

  • memory/324-5-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/324-35-0x0000000000320000-0x0000000000326000-memory.dmp

    Filesize

    24KB

    Download

  • memory/324-46-0x00000000002A0000-0x00000000002DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/324-45-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2888-42-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2888-37-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download