Malware Analysis Report

2025-08-05 21:58

Sample ID 240428-k7ydgscd84
Target 04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118
SHA256 bde30e142c6fe2ad822f4d9f5fe1be1977789b5fef120314ff7c88f59bf98970
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bde30e142c6fe2ad822f4d9f5fe1be1977789b5fef120314ff7c88f59bf98970

Threat Level: Known bad

The file 04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0st RAT payload

Gh0strat

Deletes itself

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 09:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 09:15

Reported

2024-04-28 09:17

Platform

win7-20240221-en

Max time kernel

120s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\nilehdmxid C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\npxmlilajg C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\gibyqhkncw N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\gibyqhkncw

"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\04dbbb89d97f1ca868da34f01f56f6eb_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 wshdhk.gicp.net udp
CN 47.111.82.157:10000 wshdhk.gicp.net tcp

Files

\Users\Admin\AppData\Local\gibyqhkncw

MD5 b214d8807e6ce59a9a685c8f6f31788b
SHA1 a57bc6899aeca668ab136df85b0eb506c7f9252b
SHA256 66c749bf116d5a63a898105fcc449cae7202aa7b0e981282d6c168ea02bcae1c
SHA512 b946d7099526d425c4ab1c959e2f1cd3ff162a0dc5e3ea15a4b387efd9031faa4689b53dcb9a2eb52e8dbc3dc8aeed7f11d066075c85bc6df05b7b64de06078d

\??\c:\programdata\application data\storm\update\%sessionname%\tvkoh.cc3

MD5 b258151887d457001a356dd682d0f991
SHA1 109da56f8e3f6d283a17bd0fa3e74459d44080d1
SHA256 966528d30491d8646d0429ac3fbf8e96c5de831ef7d6dfaec383f5a14a69db3f
SHA512 2be4d31165172285e557493b3d94d4bdf8134bb31e4a20ec12b12f2615d991f56d120d718031b54f47de1ca05664d818b8e0afb8315aa550bb7e1dfecc80a798

memory/2984-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 09:15

Reported

2024-04-28 09:17

Platform

win10v2004-20240419-en

Max time kernel

67s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ecbctletis N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ecbctletis N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\nilehdmxid C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\naxkaakavh C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\naxkaakavh C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ecbctletis N/A
N/A N/A \??\c:\users\admin\appdata\local\ecbctletis N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ecbctletis N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ecbctletis N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ecbctletis N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ecbctletis N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ecbctletis

"C:\Users\Admin\AppData\Local\Temp\04dbbb89d97f1ca868da34f01f56f6eb_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\04dbbb89d97f1ca868da34f01f56f6eb_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 884 -ip 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 856

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4016 -ip 4016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1096

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 836

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp

Files

C:\Users\Admin\AppData\Local\ecbctletis

MD5 5dd6cb0039f0734ef3c4ccb9fdcee50a
SHA1 445d288057fef03a8ed8d6701363243c61999f5d
SHA256 ce6621418e2b44f88fa00cb9edd08722b8679d34eaadcb3ab1110344bbc08370
SHA512 98276028a10f9d4f8083db7bf9778c8b778a12ec930a1ba39a03a9a6a502f1d80d7dbce20a15c291ff6413c4be72908d9774e18ed70b380885090fa444633fc1

\??\c:\programdata\application data\storm\update\%sessionname%\blmds.cc3

MD5 8980590c4f30c62b717b508bf5d9ca5d
SHA1 2f13908f8c7ed802b74f5e30e562c862eb1cbaef
SHA256 1d854cf3c7e67b8e0ade89349d75a40983ac9cba722ce1255dbf653ed61b59ee
SHA512 259b72e99819a6743bdefaa9542f0512f6218bea61694bf18b8e843d14afdbe79d12b46f2c9aedf969f7956070725e8bfb1a031517a619ea8fabfe3af4748161

memory/884-9-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/884-11-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4016-13-0x0000000002200000-0x0000000002201000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 74831eab775b1499a8be658e38abf60b
SHA1 4a7e2621d29354c8217c334cad8b62d228d96e2c
SHA256 51b62dc0d0d9e5d6856678d1924b83f9afd5b6dcccfe78ced19ef8272daf51af
SHA512 10bdd6887c0ec1ce71cc1d75b6feda0099319498ed1bf0e18cd06215f58fdf10cfdc1dc5dd2d3f795d4c6ea3c53ed8d4cf4200eaa102d0d2fd8cecda9b398277

memory/4016-16-0x0000000020000000-0x0000000020027000-memory.dmp

memory/1664-18-0x0000000001A00000-0x0000000001A01000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 fe741ecaea2676a73579c00942ab9465
SHA1 2c607cf38427cbd32cd4bee4934a3b61575f1156
SHA256 8e6034255454c53e18710251d6c22ba66c651be934890e045ea1693008fd09e8
SHA512 11eebb0072beba425195976d1b1d1af35c94c1b48ee331d014686edb87625dbca571a7d6872fa8414ec1e638d5dc98e1aff19b2176ac1745c7d2df0a51f9890c

memory/1664-21-0x0000000020000000-0x0000000020027000-memory.dmp