Analysis Overview
SHA256
795dce5814389f1f04403f58aff53e9d65eb54088d61690dd5d0365c37bee5e6
Threat Level: Known bad
The file 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
Gh0st RAT payload
Gh0strat
Deletes itself
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-19 21:34
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 21:34
Reported
2024-06-19 21:37
Platform
win7-20240611-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
Files
C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp
| MD5 | f0bb3c311db8c4cb221dedaa57f582dd |
| SHA1 | 0d5b66a7279c330bb1cc4bc59df8f8bdc08f282f |
| SHA256 | 144b1d2a94f49298a2e3d8dd7480192adece2f8604bf3ae9176d12959eaecb7f |
| SHA512 | ca81b1ef65d29c3ab797e1928f16c356517a4288c4a3baacf83a2f1981844d3cc467a8ed981920b13a07f6988133efe8010c67ae23ad0759f4475d6f7f882f2a |
\??\c:\program files (x86)\uqrs\aqrstuvwx.bmp
| MD5 | fcb99b70c7b158fcfe8a50af5301cfd7 |
| SHA1 | 7f94c3b5a44521c8f17ba302de6c16167f857f5b |
| SHA256 | 5c13ccc72b5a1e880162bdbf95ca46f39156aa444f10420c71bf2cde2a930136 |
| SHA512 | 6a2e1bcee671f3c0d2f4d5d74d9fee7d2fc64405ee67ae3509053d184b9bd51f12a9f551120c48ed312d481ca9b891f2cd05fc3ecdbb97646b5d48977034d10b |
memory/1932-9-0x0000000010000000-0x0000000010028000-memory.dmp
C:\2050300.dll
| MD5 | 3ba19d0b67c153989655eaf69aa56c16 |
| SHA1 | b92bf687122ecef4205b6a38cdd41670886d349c |
| SHA256 | e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455 |
| SHA512 | f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e |
C:\WinWall32.gif
| MD5 | 2939420f6265ad228002b597c540399e |
| SHA1 | 23fb301e7b3aa2a9ccaaf851e950b100817cea21 |
| SHA256 | 3298b28ec11ee7ae64faf1461e0ffe58c40fc199137d20da4372cc0fb7e155be |
| SHA512 | 742d712a7988306bed196b4d5e2caf29bec557c9f2ae9c9a8278d150677919022ec6aaf4d30b44d36cdb64eafb84d26dd291f027d1a13573fe41565aed0bc84e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 21:34
Reported
2024-06-19 21:37
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 23.41.178.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
Files
C:\1193700.dll
| MD5 | 3ba19d0b67c153989655eaf69aa56c16 |
| SHA1 | b92bf687122ecef4205b6a38cdd41670886d349c |
| SHA256 | e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455 |
| SHA512 | f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e |
\??\c:\program files (x86)\uqrs\aqrstuvwx.bmp
| MD5 | 00404d34965d36b8bf7a710212dab364 |
| SHA1 | 12df3da635e2addbc2a27148b8ba32a24f407004 |
| SHA256 | 833272aa01945ea5e277b96b2d0c5504854e4d796b40297935842a00ebd19908 |
| SHA512 | c2cb6ccf8fed1b94e28e0551dd45c25bb09bcb91a5c4e9c32bfccad6663db11bf2cd818bdb84e19b8abcba8373b321e0d74349405b34168d4263dca7bd570e00 |
C:\WinWall32.gif
| MD5 | b969039ae2d1718494adfd03aaf66c0f |
| SHA1 | 02fdec5293fbffeb669fa8e3d47018f24b35dc62 |
| SHA256 | 5a7589ee54fc142fa8506799b2be556ea492bfb41470972926a3a76cef945d9f |
| SHA512 | 1aa20672525c7b45d742de8bd06e46417c0fda7fc25ec2f5a7200987325c63b3a77211e0d3354ee38df8c50c9276444f7646ba2149fd227af0af743b871f28e7 |