Analysis Overview
SHA256
337b2a2898f89d83eb9810385b6113b722dc71c9e7192876116ae9cf66797d22
Threat Level: Known bad
The file 9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0strat family
Gh0st RAT payload
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-11 16:47
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 16:47
Reported
2024-06-11 16:50
Platform
win7-20240419-en
Max time kernel
124s
Max time network
124s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2016 set thread context of 2600 | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | C:\Windows\SysWOW64\svchost.exe |
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\*.exe /e /d system
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
| US | 8.8.8.8:53 | 4i7i.com | udp |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
Files
memory/1968-0-0x0000000000400000-0x00000000005D3000-memory.dmp
\Windows\Microsoft.NET\Framework\aspnet_wp.exe
| MD5 | 962026a01cc9c058822bfa108393eaaf |
| SHA1 | bdc766094cc240782e10a0dfec8d420f3420d42c |
| SHA256 | 48d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b |
| SHA512 | f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93 |
\Windows\Microsoft.NET\Framework\ETComm.dll
| MD5 | 88d73a37ae35e3b049b908e7b28a5c39 |
| SHA1 | 2713a4bd792d0cb4afd6e3b43c7cfc2587989048 |
| SHA256 | a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39 |
| SHA512 | 3d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5 |
memory/2600-15-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Windows\Microsoft.NET\Framework\ETComm_New.dll
| MD5 | 5a8088a81ca60f7d6b52dafef8106352 |
| SHA1 | 91038034b8a3087d2b3b03c4240c1a84c1e6fd4e |
| SHA256 | a558403de957fb3ce765f5fab272db6d65b443ddfdc233ff1269dbe996a666dd |
| SHA512 | de4818b3221d16b062a0662313d86ceaa36312db0b99f7c4ceec496d3aaf2c89943182b590875185a410f97e272660660df6684a53717225ef2c5cbb49abd624 |
memory/2016-37-0x0000000010000000-0x00000000100EB000-memory.dmp
memory/2600-36-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2600-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-26-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2600-22-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2600-19-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2600-17-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2016-14-0x0000000010000000-0x00000000100EB000-memory.dmp
memory/1968-38-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1968-39-0x0000000000400000-0x00000000005D3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 16:47
Reported
2024-06-11 16:50
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4988 set thread context of 228 | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | C:\Windows\SysWOW64\svchost.exe |
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9edd0f7c7b63ad8b06e76d577cac71f6_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\*.exe /e /d system
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
| US | 8.8.8.8:53 | 4i7i.com | udp |
| HK | 203.124.11.99:80 | 4i7i.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
| US | 8.8.8.8:53 | 211.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wmi.usa-138.com | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/540-0-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\Microsoft.NET\Framework\aspnet_wp.exe
| MD5 | 962026a01cc9c058822bfa108393eaaf |
| SHA1 | bdc766094cc240782e10a0dfec8d420f3420d42c |
| SHA256 | 48d8d3a80cd1ebc5fa2402a9e7c77fdb74782dd8d3d5291787266ab289f1a82b |
| SHA512 | f03986b1b3a0609f7ca999e07f58b6dc0504c767b5b98c60186c8c1f0f5b56b87207d5b8c165a2e103e803ccf32193e848c75875231dd94237d1501862e18e93 |
C:\Windows\Microsoft.NET\Framework\ETComm.dll
| MD5 | 88d73a37ae35e3b049b908e7b28a5c39 |
| SHA1 | 2713a4bd792d0cb4afd6e3b43c7cfc2587989048 |
| SHA256 | a81f235483560d11f871351771f862cd52f1ab097a84e37163fb876ff5814f39 |
| SHA512 | 3d947b28c15b930c9e7212e2dfed2a73fbd6139b5f52020b60735a3fc8f4f1d82e5a0b41a7ce78839e48698437cf07c1485ef61605e461a3768250d71b233da5 |
memory/4988-13-0x0000000010000000-0x00000000100EB000-memory.dmp
C:\Windows\Microsoft.NET\Framework\ETComm.dll
| MD5 | 772489c1a202bb5430de2460f82dc8ee |
| SHA1 | 35b7dda980e4f54a9d86015fda6023301a41787a |
| SHA256 | 26c805ddcd223e867fb915401b567d057980fb5b06bd9b9bc7bd77bee354f261 |
| SHA512 | 7544421da95ed6174ff0d63428faaba851a0af9c7988c465cb975cbafe421c5b2b22f5fda637755ba4bcc3bdc658a8696afbcaa8763af9e409dcbaa486d0a130 |
memory/228-23-0x0000000000400000-0x0000000000409000-memory.dmp
memory/228-16-0x0000000000400000-0x0000000000409000-memory.dmp
memory/228-15-0x0000000000400000-0x0000000000409000-memory.dmp
memory/228-14-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4988-25-0x0000000010000000-0x00000000100EB000-memory.dmp
memory/540-26-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/540-28-0x0000000000400000-0x00000000005D3000-memory.dmp