Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-aahlnafe65
Target e3993f03c3342004c6ae7052e734f38b_JaffaCakes118
SHA256 9247469559d064e187b283065a2d04192199301e69c8bd384f009269742d8add
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9247469559d064e187b283065a2d04192199301e69c8bd384f009269742d8add

Threat Level: Known bad

The file e3993f03c3342004c6ae7052e734f38b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Gh0strat family

Drops file in Drivers directory

Sets DLL path for service in the registry

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:00

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:00

Reported

2024-04-07 00:03

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Windows\SysWOW64\svchost.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k neTsvcs

Network

N/A

Files

memory/3052-0-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Local\Temp\dll.tmp

MD5 8be18f32bfd8dc35aacd8231c81ac199
SHA1 7643e420f924fcf97ba76040cd7e3951af475835
SHA256 1fdb538e2ffd8d11ce72bb6596f1af9fabb2bab09c763edabe6da6ab60030c53
SHA512 999925b555b0fe9df913e250f833afc072f59b863d6dac62b4cd2800a316b2aee95da568fae5ba3ab4b355de89c2ccaadc53465e6e9145164e5111c1083ac6b1

memory/3052-6-0x0000000010000000-0x000000001001F000-memory.dmp

memory/3052-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3016-16-0x0000000010000000-0x000000001001F000-memory.dmp

C:\Windows\SysWOW64\install.tmp

MD5 0a7fc6c86175abe9e7fea57b2e6a25f1
SHA1 a89f88770327023f06ed1f8a0f9be938052bd1c7
SHA256 6f58db460257191921e8ab0d29c91ea200f0417c58040701aa3b20f9529a12e1
SHA512 de2078a99760ae69a6236ffec2fa7191b52267636195abc297f9c41db6cdd8ebd24ea800d612f26d72a270b34dd902f24b9723d61452b93ec53c51577eaa6314

memory/3016-18-0x0000000010000000-0x000000001001F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:00

Reported

2024-04-07 00:02

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Windows\SysWOW64\svchost.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 484

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k neTsvcs -s FastUserSwitchingCompatibility

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.192.122.92.in-addr.arpa udp

Files

memory/4180-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dll.tmp

MD5 8be18f32bfd8dc35aacd8231c81ac199
SHA1 7643e420f924fcf97ba76040cd7e3951af475835
SHA256 1fdb538e2ffd8d11ce72bb6596f1af9fabb2bab09c763edabe6da6ab60030c53
SHA512 999925b555b0fe9df913e250f833afc072f59b863d6dac62b4cd2800a316b2aee95da568fae5ba3ab4b355de89c2ccaadc53465e6e9145164e5111c1083ac6b1

memory/4180-6-0x0000000010000000-0x000000001001F000-memory.dmp

memory/4180-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2420-17-0x0000000010000000-0x000000001001F000-memory.dmp

C:\Windows\SysWOW64\install.tmp

MD5 0a7fc6c86175abe9e7fea57b2e6a25f1
SHA1 a89f88770327023f06ed1f8a0f9be938052bd1c7
SHA256 6f58db460257191921e8ab0d29c91ea200f0417c58040701aa3b20f9529a12e1
SHA512 de2078a99760ae69a6236ffec2fa7191b52267636195abc297f9c41db6cdd8ebd24ea800d612f26d72a270b34dd902f24b9723d61452b93ec53c51577eaa6314

memory/2420-19-0x0000000010000000-0x000000001001F000-memory.dmp