Analysis Overview
SHA256
27743fd79ec833b2127843863c3e0f8a7c994b3a885bea6293b49c63c3e5c81e
Threat Level: Known bad
The file 85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 03:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 03:32
Reported
2024-05-31 03:35
Platform
win7-20240508-en
Max time kernel
144s
Max time network
134s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | u.owwwc.com | udp |
Files
memory/1596-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1596-1-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1596-4-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1596-5-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1596-6-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1596-7-0x0000000010000000-0x0000000010362000-memory.dmp
\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
| MD5 | 386c52cf34fef2b5b8886c1fb0c29db0 |
| SHA1 | 40e6fda7da1ffd97eb841387d1925ebafea21201 |
| SHA256 | 3a6862bd0abe49fbf862cfd4664793808d06cc826d3b7e64e2bf50372a4fc23f |
| SHA512 | cbd586d3d73fb52edb2cef85a00fbf1cc8ded5c3897643be1046f69c50f08f8aafb9c308691ff81da3ee70a98bfbde345bbc8137bc3f14192ad0fc2b6e99fdcc |
memory/1196-21-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1596-16-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1196-24-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1196-23-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1196-22-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1196-17-0x0000000010000000-0x0000000010362000-memory.dmp
memory/2652-31-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1196-33-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2992-43-0x0000000010000000-0x0000000010362000-memory.dmp
memory/2992-46-0x0000000010000000-0x0000000010362000-memory.dmp
memory/2652-49-0x0000000010000000-0x0000000010362000-memory.dmp
memory/2652-48-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2992-50-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 03:32
Reported
2024-05-31 03:35
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
126s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85dd025dfba86a8d33d3523d60a684c9_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
"C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3980 -ip 3980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u.owwwc.com | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u.owwwc.com | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u.owwwc.com | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u.owwwc.com | udp |
Files
memory/4140-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4140-1-0x000000000045C000-0x000000000045D000-memory.dmp
memory/4140-2-0x0000000010000000-0x0000000010362000-memory.dmp
memory/4140-6-0x0000000010000000-0x0000000010362000-memory.dmp
memory/4140-7-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4140-5-0x0000000010000000-0x0000000010362000-memory.dmp
C:\Program Files (x86)\Microsoft Dxpgzk\Envmfgi.exe
| MD5 | 386c52cf34fef2b5b8886c1fb0c29db0 |
| SHA1 | 40e6fda7da1ffd97eb841387d1925ebafea21201 |
| SHA256 | 3a6862bd0abe49fbf862cfd4664793808d06cc826d3b7e64e2bf50372a4fc23f |
| SHA512 | cbd586d3d73fb52edb2cef85a00fbf1cc8ded5c3897643be1046f69c50f08f8aafb9c308691ff81da3ee70a98bfbde345bbc8137bc3f14192ad0fc2b6e99fdcc |
memory/4140-22-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2668-26-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3980-30-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3980-31-0x0000000010000000-0x0000000010362000-memory.dmp
memory/3980-34-0x0000000010000000-0x0000000010362000-memory.dmp
memory/3980-35-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1036-44-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2668-37-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1648-46-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1036-52-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1036-53-0x0000000010000000-0x0000000010362000-memory.dmp
memory/1648-55-0x0000000000400000-0x000000000045E000-memory.dmp