Malware Analysis Report

2025-03-15 06:39

Sample ID 240530-nqrfdsgg69
Target 84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118
SHA256 064086adcdd576b5afe5d173ff8fc48b85c7cbc6489ea0af330ebcc923b2ced2
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

064086adcdd576b5afe5d173ff8fc48b85c7cbc6489ea0af330ebcc923b2ced2

Threat Level: Known bad

The file 84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0st RAT payload

Gh0strat

Deletes itself

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 11:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 11:36

Reported

2024-05-30 11:38

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 552 -ip 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 304

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 11:36

Reported

2024-05-30 11:38

Platform

win7-20240221-en

Max time kernel

131s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xknfryclts C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\xawcfxvstf C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ihhelfertc N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ihhelfertc

"C:\Users\Admin\AppData\Local\Temp\84175cd8194c34c5a0eb7db5a6ddb84b_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\84175cd8194c34c5a0eb7db5a6ddb84b_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.f.360.cn udp
N/A 127.0.0.1:10086 tcp
N/A 127.0.0.1:10086 tcp

Files

\Users\Admin\AppData\Local\ihhelfertc

MD5 ef378c299937494c86dd36b84a7dc4b2
SHA1 8efbdbf349b40cb12bc67e581463e47ba7b2e995
SHA256 797861cb55d1e8570522abaa8a3579d720ffd398c9c1553acf0bd1006e0669ad
SHA512 79d0f371422260900b1fa58e181e49acd87bc7702046d89617d2e0aae09b53d46a6e4f41f8479cab328bf91f5e433ddad1eb49ecdb8632a137c050e74e5feb45

\??\c:\programdata\application data\storm\update\%sessionname%\ykoyp.cc3

MD5 967bfc2fa95301a79477367758ad6a75
SHA1 027215abb48f7108d3e3b0931d1e31fd0cebb1f7
SHA256 d8c54f8acf22f245394b3e75ce818e34b1a1c977851c37ac8376e7261d09f614
SHA512 b0fab39e2901a1b4634cba6d9bf85603ac2017ff2fd50b1f070d5290c2b8d9fd79366b83e668ab0ce20c7347eedcbb319f4511c9f411e48291eb8a96e1e31ee3

memory/2944-13-0x0000000000120000-0x0000000000121000-memory.dmp