Overview

overview

10

Static

static

10

JaffaCakes...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2025, 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9ad7ce8b3d0c6aa510e603d30d19970f.exe

  • Size

    172KB

  • MD5

    9ad7ce8b3d0c6aa510e603d30d19970f

  • SHA1

    ab6bf3d741da6f717c5b02f7126d968d0031448e

  • SHA256

    45816da3f542db9f600cd66d2dfd68e6d76eb8dd617470a8998e43c34e9d82cb

  • SHA512

    ad4e31afe13a43c87dd520b5ca7d65f6dfc06d531087c4ea9ca32592346b34d867c59d065cf0d0c254e1fe64343a4acda54a6c9857ed1af00a4412da501c2789

  • SSDEEP

    3072:wNoxFCSKntzbcvf4KFnXMk7TGL69ire0YukcEfUE868Q:eCCboVXMot9grYukFfL86

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ad7ce8b3d0c6aa510e603d30d19970f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ad7ce8b3d0c6aa510e603d30d19970f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4624
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\temp2009400.dll
    Filesize

    109KB

    MD5

    07d0ab958f9c3107d4e961f07e64745e

    SHA1

    a8be8260992e903fbdc45a3d97ebe64591632b17

    SHA256

    eac7795a5869541a5ae163f93e2b7cfcd4fdb6b2f990b94980376223d73699bb

    SHA512

    cad8b9108b45fca56df64a5bfdb3c8b041c947d0cdb472416a32d723161cca3eff2e9f994bb0d7992f217e38dc7f9f9801e140a05cf5ae50ced7c56f1edeb7b7

    Download Submit

  • \??\c:\NT_Path.old
    Filesize

    111B

    MD5

    5b171e43da60b0a5cef2b4bb2caeb6b7

    SHA1

    42f36a1397daefee8eff1dcffe7bfacd3a0b4206

    SHA256

    8b3ac8b1df997428e69a023fd0c4c9c390e51ca9c460caaa117634598009ac81

    SHA512

    f7c6fa6526163e01b1c9f4cc9dea6e92e41a7a8edbd3a2e47fbe00e959f28c488d53031bdf56f090e741a6097d6d68b5efe72162935462ae8ad585acc66f0534

    Download Submit

  • \??\c:\windows\filename.jpg
    Filesize

    7.5MB

    MD5

    1481c8efb308af5524eacc8b5a21dc0a

    SHA1

    bc075155f1d73538f521cc8d7bcb767f6b87f7f9

    SHA256

    33ddec21fedf55ff0d475d6a69da4fc07100855869e504e357796da55a801149

    SHA512

    eb9097a0e27e4addeefeb465d4891f5d038271348f26832af37e0253d996c20072adf03e6816b032225cb06cec3b29e14b0d6e93734d7cf6c4ac74bcdd64ede1

    Download Submit