Overview

overview

10

Static

static

10

1a97c21ab8...18.exe

windows7-x64

10

1a97c21ab8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    1a97c21ab895158257adf055ccd6cf3e

  • SHA1

    5697ad1e9878370ea1f5db00e85298409d489e2b

  • SHA256

    c792acee0987ac17474c1dc846b0c0a1ae2a81a7f08151ffab2754d96085c5cd

  • SHA512

    d58d6ed83d30a94359cfef3605c08d921ad49c5b64ef4def8a1c2d883a83ef2d17f12958630738bf2105f9aa9b9c786b87bb19557efb01811c7eec4045f0e510

  • SSDEEP

    3072:41UNGB+I0Oy8uIqn904rKttHkoIIuZkfiXqCYNg:41UQpu8Hqm4wKodkkqXBm

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a97c21ab895158257adf055ccd6cf3e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3328
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3948
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3888

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\1062300.dll
      Filesize

      112KB

      MD5

      339e612cfa378411cff35260fe3084a0

      SHA1

      cc9e82478958e14d7b3a7d404ada2d5745ae3b8e

      SHA256

      7d1220a54ae455ce49db678c94b275191585fecb4d4c8d6aee9a3421eaa65289

      SHA512

      fe1caa47b925296528ed549210756cb890ea735ed56a3d451e0af61f8b83bdbcda6404a91111b632154e0276e3c88c98eef11edd7dd140f31045d57dfec4839f

      Download Submit
    • C:\WinWall32.gif
      Filesize

      99B

      MD5

      68bb751f81cdc71002d735609798b43f

      SHA1

      2df9e62aec310cd498d6dd6326a390c783f1559f

      SHA256

      44574ae1e000d02ef0b16e44d2a43942bc0c12cf14ca1506583271b4b2c9d29a

      SHA512

      e8d65dbf74953d5d16997172f8e985227026e0f8c49782c6e932176ff2a661818ff633dd9b29a19d4ab2d8a5fbb1f6f2d0c9ae58e01670c979062c867da9b779

      Download Submit
    • \??\c:\program files (x86)\fbcd\kbcdefghi.gif
      Filesize

      5.4MB

      MD5

      b489da46fc3a0177b363d3fc007c87eb

      SHA1

      82fd8585292ac980de36d7dbeb4847b6d5f75806

      SHA256

      bceb9de528ff1cbbedc0ba24761b40132b565933283cc0934ea4b98a7665dcb9

      SHA512

      2885b95ba1184bd7357c26df92ef24b63b09dad26901170d2f9cd6333a9558d356a27a748192a6d2a995dc6dacef33c233f7c5becbd5dc8e838ed230f0504208

      Download Submit