Overview

overview

10

Static

static

10

JaffaCakes...f9.exe

windows7-x64

10

JaffaCakes...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5e7587a49d66bf47150ad46e64c998f9.exe

  • Size

    148KB

  • MD5

    5e7587a49d66bf47150ad46e64c998f9

  • SHA1

    a9644774e2dcf5f0ea62d0c68f182a03245bcd6a

  • SHA256

    3918f2b69b907cb38962b0aa63ea4d7ca355c3160b304f086ae655d8d296a023

  • SHA512

    d74a3d71502cc801960a0232d34cf27c52b07f46e03e478327bb14b8bd5dc7cbc73e1dd82bab0fa3408db3f18598d2062ee0e7f7abf654f075d1cf69e5b69738

  • SSDEEP

    3072:QnPq5K8oY50gePA/UHMd7i/UIa+fBednUcSYVsqeZ9N7hB3Z:QPq51OPY81/UpGexbSasqephFZ

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e7587a49d66bf47150ad46e64c998f9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e7587a49d66bf47150ad46e64c998f9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\FreeRat.dll setup
      2⤵
      • Server Software Component: Terminal Services DLL
      • System Location Discovery: System Language Discovery
      PID:2104
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Server.tmp
    Filesize

    124KB

    MD5

    e5ebe743972c4afaf1096263ac5a4d65

    SHA1

    8416d6ca36250114de0c3b9c36d298f6fd1f1d68

    SHA256

    0199f3f98323b3a441b658c1452554790be469108cfd339461846e028615dd6b

    SHA512

    85015e7d7dadba57a246c6f5da5f35aa2b08303c5353c0eff2f76e07b58a564e55c8f6b67fecb12bb16cfa69f90d4a9beb50376a77f06a7e19cd8d2a75d3f7b9

    Download Submit

  • memory/2104-7-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2492-8-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2504-9-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download