Overview

overview

10

Static

static

10

1a97c21ab8...18.exe

windows7-x64

10

1a97c21ab8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    1a97c21ab895158257adf055ccd6cf3e

  • SHA1

    5697ad1e9878370ea1f5db00e85298409d489e2b

  • SHA256

    c792acee0987ac17474c1dc846b0c0a1ae2a81a7f08151ffab2754d96085c5cd

  • SHA512

    d58d6ed83d30a94359cfef3605c08d921ad49c5b64ef4def8a1c2d883a83ef2d17f12958630738bf2105f9aa9b9c786b87bb19557efb01811c7eec4045f0e510

  • SSDEEP

    3072:41UNGB+I0Oy8uIqn904rKttHkoIIuZkfiXqCYNg:41UQpu8Hqm4wKodkkqXBm

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1584
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\3015500.dll
    Filesize

    112KB

    MD5

    339e612cfa378411cff35260fe3084a0

    SHA1

    cc9e82478958e14d7b3a7d404ada2d5745ae3b8e

    SHA256

    7d1220a54ae455ce49db678c94b275191585fecb4d4c8d6aee9a3421eaa65289

    SHA512

    fe1caa47b925296528ed549210756cb890ea735ed56a3d451e0af61f8b83bdbcda6404a91111b632154e0276e3c88c98eef11edd7dd140f31045d57dfec4839f

    Download Submit
  • C:\Program Files (x86)\Fbcd\Kbcdefghi.gif
    Filesize

    6.1MB

    MD5

    107b692a26b91d40fb9a54f0d1c5e80e

    SHA1

    7a3b06cc3d8f4a1b5950a7e15669b29e71bfc134

    SHA256

    29a30197d0df326a107e286e12895e709b246c801da65724acce201687a34f8b

    SHA512

    1780766059cf9dd70f084d086ea5c43fb4de9551e0df2d2ef566bc5711d579a515ba6dbf5fb435ae964776fd196c62bf3c12210960be0e17c778f8197445efb6

    Download Submit
  • C:\WinWall32.gif
    Filesize

    99B

    MD5

    df60aecaea2c17b91917cf3c306a9477

    SHA1

    23a3decddb8bc25045cbeed4be34cc9fa5915481

    SHA256

    a5ca657eb9df3f8c8b5d0747979bc616d74e69ad6f78d2dc5d0eb52e7f28b603

    SHA512

    251a4335f157170479f062f7b17b593f2026c6dc70238fd9272732de202afae26fbebf05fd8439f66e44260d5840210aa1863e5930c992d06c046061af5bbc28

    Download Submit
  • memory/1584-9-0x0000000010000000-0x0000000010028000-memory.dmp
    Filesize

    160KB

    Download