Malware Analysis Report

2024-10-24 17:01

Sample ID 240619-yatwpasgnj
Target 002a502e8e540c416958e6888d27ff3b_JaffaCakes118
SHA256 baa97e88cc53dd0fed07abd7004167573add743f30cbd909deb266bffd2f9f58
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

baa97e88cc53dd0fed07abd7004167573add743f30cbd909deb266bffd2f9f58

Threat Level: Known bad

The file 002a502e8e540c416958e6888d27ff3b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0st RAT payload

Gh0strat

Sets service image path in registry

Server Software Component: Terminal Services DLL

Loads dropped DLL

Deletes itself

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:35

Reported

2024-06-19 19:37

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\parameters\servicedll = "C:\\PROGRA~3\\DRM\\qtfxg.bmp" C:\Windows\SysWOW64\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\DRM\qtfxg.bmp C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 q474819843.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 q474819843.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 q474819843.3322.org udp
US 8.8.8.8:53 www.baidu.com udp

Files

\??\c:\progra~3\drm\qtfxg.bmp

MD5 295c0774a173abe5f8784d288d1ac0a8
SHA1 cbe73bc62cbc8128e1c8473302cb1fbb277be3b6
SHA256 d9ffb27333853e4bbb31234fb2327c95f8999a79422cdd05f4eba0df664b4b3d
SHA512 5d57d3c5b53ae4a32523dbca051420ae443458539b10a57b726669d8f7cea8ec89de1bc523f0d8ad4fe75255b7921987d237403176974b59339b0d358dae716a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:35

Reported

2024-06-19 19:37

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\parameters\servicedll = "C:\\PROGRA~3\\DRM\\htjux.bmp" C:\Windows\SysWOW64\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\DRM\htjux.bmp C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\002a502e8e540c416958e6888d27ff3b_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2732,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 q474819843.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 q474819843.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 q474819843.3322.org udp
US 8.8.8.8:53 www.baidu.com udp

Files

\??\c:\progra~3\drm\htjux.bmp

MD5 295c0774a173abe5f8784d288d1ac0a8
SHA1 cbe73bc62cbc8128e1c8473302cb1fbb277be3b6
SHA256 d9ffb27333853e4bbb31234fb2327c95f8999a79422cdd05f4eba0df664b4b3d
SHA512 5d57d3c5b53ae4a32523dbca051420ae443458539b10a57b726669d8f7cea8ec89de1bc523f0d8ad4fe75255b7921987d237403176974b59339b0d358dae716a