Malware Analysis Report

2024-09-22 14:56

Sample ID 240618-lktbpaxfqb
Target f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5
SHA256 f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5
Tags
gh0strat purplefox persistence rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5

Threat Level: Known bad

The file f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan

Detect PurpleFox Rootkit

PurpleFox

Gh0st RAT payload

Gh0strat

Drops file in Drivers directory

Sets service image path in registry

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: LoadsDriver

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 09:35

Reported

2024-06-18 09:38

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Program Files (x86)\Google\Skcsk.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Program Files (x86)\Google\Skcsk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe N/A
File opened for modification C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe

"C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe"

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\F12255~1.EXE > nul

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp

Files

memory/1896-0-0x0000000010000000-0x000000001019F000-memory.dmp

C:\Program Files (x86)\Google\Skcsk.exe

MD5 47554cb3f9f01198cceb8ffdef2023c6
SHA1 595203b8f1a55ece0dde032e42aa8104538b1561
SHA256 f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5
SHA512 6cc5c6640dc0b4e6a567883178ff91167aa6e8c0bdbcad8f151701783b209ef92de6d0c70e6f4382e58d3c9b46ac8a0292b3feb2fee2e52a6180c14949865995

memory/2772-10-0x0000000010000000-0x000000001019F000-memory.dmp

memory/3176-17-0x0000000010000000-0x000000001019F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 09:35

Reported

2024-06-18 09:38

Platform

win7-20240221-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Program Files (x86)\Google\Skcsk.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Program Files (x86)\Google\Skcsk.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe N/A
File opened for modification C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2568 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 3032 wrote to memory of 2568 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 3032 wrote to memory of 2568 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 3032 wrote to memory of 2568 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 1900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe

"C:\Users\Admin\AppData\Local\Temp\f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5.exe"

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\F12255~1.EXE > nul

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp
CN 47.95.171.79:7771 tcp

Files

memory/1900-0-0x0000000010000000-0x000000001019F000-memory.dmp

C:\Program Files (x86)\Google\Skcsk.exe

MD5 47554cb3f9f01198cceb8ffdef2023c6
SHA1 595203b8f1a55ece0dde032e42aa8104538b1561
SHA256 f12255933332776b545b09cba517c5dd524e9f32b71428b49c6f0fb934fecae5
SHA512 6cc5c6640dc0b4e6a567883178ff91167aa6e8c0bdbcad8f151701783b209ef92de6d0c70e6f4382e58d3c9b46ac8a0292b3feb2fee2e52a6180c14949865995

memory/2568-18-0x0000000010000000-0x000000001019F000-memory.dmp