Malware Analysis Report

2024-10-24 17:01

Sample ID 240619-1e2s7sxbql
Target 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118
SHA256 795dce5814389f1f04403f58aff53e9d65eb54088d61690dd5d0365c37bee5e6
Tags
gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

795dce5814389f1f04403f58aff53e9d65eb54088d61690dd5d0365c37bee5e6

Threat Level: Known bad

The file 009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat rat

Gh0strat family

Gh0st RAT payload

Gh0strat

Deletes itself

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 21:34

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 21:34

Reported

2024-06-19 21:37

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 balfhvniu.oicp.net udp

Files

C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp

MD5 f0bb3c311db8c4cb221dedaa57f582dd
SHA1 0d5b66a7279c330bb1cc4bc59df8f8bdc08f282f
SHA256 144b1d2a94f49298a2e3d8dd7480192adece2f8604bf3ae9176d12959eaecb7f
SHA512 ca81b1ef65d29c3ab797e1928f16c356517a4288c4a3baacf83a2f1981844d3cc467a8ed981920b13a07f6988133efe8010c67ae23ad0759f4475d6f7f882f2a

\??\c:\program files (x86)\uqrs\aqrstuvwx.bmp

MD5 fcb99b70c7b158fcfe8a50af5301cfd7
SHA1 7f94c3b5a44521c8f17ba302de6c16167f857f5b
SHA256 5c13ccc72b5a1e880162bdbf95ca46f39156aa444f10420c71bf2cde2a930136
SHA512 6a2e1bcee671f3c0d2f4d5d74d9fee7d2fc64405ee67ae3509053d184b9bd51f12a9f551120c48ed312d481ca9b891f2cd05fc3ecdbb97646b5d48977034d10b

memory/1932-9-0x0000000010000000-0x0000000010028000-memory.dmp

C:\2050300.dll

MD5 3ba19d0b67c153989655eaf69aa56c16
SHA1 b92bf687122ecef4205b6a38cdd41670886d349c
SHA256 e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455
SHA512 f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e

C:\WinWall32.gif

MD5 2939420f6265ad228002b597c540399e
SHA1 23fb301e7b3aa2a9ccaaf851e950b100817cea21
SHA256 3298b28ec11ee7ae64faf1461e0ffe58c40fc199137d20da4372cc0fb7e155be
SHA512 742d712a7988306bed196b4d5e2caf29bec557c9f2ae9c9a8278d150677919022ec6aaf4d30b44d36cdb64eafb84d26dd291f027d1a13573fe41565aed0bc84e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 21:34

Reported

2024-06-19 21:37

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\009dfa5f6f8d806249c03e9d031866cb_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 23.41.178.73:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 balfhvniu.oicp.net udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 balfhvniu.oicp.net udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 balfhvniu.oicp.net udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 balfhvniu.oicp.net udp

Files

C:\1193700.dll

MD5 3ba19d0b67c153989655eaf69aa56c16
SHA1 b92bf687122ecef4205b6a38cdd41670886d349c
SHA256 e6d8d16db4df48a6979770a37df36fe16fccce85fb5f222da6a76edaa4d94455
SHA512 f590fdc94392a32f9c83738141527710fe10482cc088595d647dc67b4169406fb0d0de86779064dca9f01d8ac09e85f54b972afd7f2f744bf043706d61f7652e

\??\c:\program files (x86)\uqrs\aqrstuvwx.bmp

MD5 00404d34965d36b8bf7a710212dab364
SHA1 12df3da635e2addbc2a27148b8ba32a24f407004
SHA256 833272aa01945ea5e277b96b2d0c5504854e4d796b40297935842a00ebd19908
SHA512 c2cb6ccf8fed1b94e28e0551dd45c25bb09bcb91a5c4e9c32bfccad6663db11bf2cd818bdb84e19b8abcba8373b321e0d74349405b34168d4263dca7bd570e00

C:\WinWall32.gif

MD5 b969039ae2d1718494adfd03aaf66c0f
SHA1 02fdec5293fbffeb669fa8e3d47018f24b35dc62
SHA256 5a7589ee54fc142fa8506799b2be556ea492bfb41470972926a3a76cef945d9f
SHA512 1aa20672525c7b45d742de8bd06e46417c0fda7fc25ec2f5a7200987325c63b3a77211e0d3354ee38df8c50c9276444f7646ba2149fd227af0af743b871f28e7