Analysis Overview
SHA256
6a552dc09ebd93d33e54831a3d0d1951b838a79df1e2d7c6fc73a1bbcb515ce4
Threat Level: Known bad
The file 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
Gh0st RAT payload
Gh0strat
Loads dropped DLL
Deletes itself
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-19 20:03
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 20:03
Reported
2024-06-19 20:06
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 818771.3322.org | udp |
| US | 8.8.8.8:53 | 818771.3322.org | udp |
| US | 8.8.8.8:53 | 818771.3322.org | udp |
Files
C:\2950100.dll
| MD5 | 756629819676fecd59d410cbd7e63ed2 |
| SHA1 | a774b4a83ecea402c90665c8de0875f2b6eebb1e |
| SHA256 | 598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226 |
| SHA512 | 8022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989 |
\??\c:\program files (x86)\bwxy\gwxyabcde.gif
| MD5 | cb764cb38be5290fac82d044633034e4 |
| SHA1 | 5ff539693ba7664bb7551d2560187807de94401c |
| SHA256 | 793ff674e5dc233df1955043e82f44692dbcaf6939c24d326810340e215ecc6e |
| SHA512 | 2c9e2bb952ddc843c3cabdaf8652ceec2593f1e0bac7f480b8fb94e28fe7e641b587ac3cd9e6cd523935a16cc67039ef255bce916e294e5396c0863aed2b7d67 |
C:\WinWall32.gif
| MD5 | 2c5cc22f8309bf5748f3ecaa4d9c2f44 |
| SHA1 | 3d0f86e7818e0f7ecc44ec71e915b6764d005812 |
| SHA256 | 3da8012a44195f6dc84cd220f229b09332836c40a7ab6e3ec062431fb2a421f3 |
| SHA512 | 2f7630eb2e2ff714efeab1fd4f017738bb732560e118ad8f78592dc2563c478ecbc2048bced898a8e0f89fa7d5bd7b5138ed2b9cb573778fb13d3d6a36752dc5 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 20:03
Reported
2024-06-19 20:06
Platform
win7-20240419-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 818771.3322.org | udp |
Files
C:\Program Files (x86)\Bwxy\Gwxyabcde.gif
| MD5 | f065dfec0f0f7433f7db441053cfedd0 |
| SHA1 | 1de022600cef1d2c0f1de30ed712176302953fcb |
| SHA256 | 69dccb4b21ff42c305f02dfa1b4031df51caf1fbcbfd5740e2401e3d759b4ddb |
| SHA512 | 0bd0062aea8887de7446dce1a8227e7abbdf30744c811cef3e12878512a8e1ca837a6bafe34dcd44a061d588460818315345a0b47a1ccdf760630f4fce00a9fe |
\??\c:\program files (x86)\bwxy\gwxyabcde.gif
| MD5 | 2433c2f3efd9c757dc48bc8ae4bb9672 |
| SHA1 | dae03ca287ebf8f8ff81b65ff2f7f357e4008d4f |
| SHA256 | e34e859b38d8fc50ddfee9081e20634c7ba9718c3cbe8c4cfaf52c5bc47dfe57 |
| SHA512 | 99b25d3377e0b7f2b051b4cff06e765f4b6aae19896782ff2621076792dd4a53a61158052a389dfc0f40d5f9d066db1e553aad9a8e769de3625f3a7dca07b41f |
memory/2052-9-0x0000000010000000-0x0000000010028000-memory.dmp
C:\2898300.dll
| MD5 | 756629819676fecd59d410cbd7e63ed2 |
| SHA1 | a774b4a83ecea402c90665c8de0875f2b6eebb1e |
| SHA256 | 598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226 |
| SHA512 | 8022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989 |
C:\WinWall32.gif
| MD5 | e5ebe7ae0c59b2bbb1afa726567db18b |
| SHA1 | 3be1443373a20a1ecee46d1c133222c28b492e86 |
| SHA256 | 62abdd99f21f2a944dca412a0b691d6f652d0c50df28dc29c0fb96bb536e8a89 |
| SHA512 | 725504210eabf5d60a3825a5dc6b5feba4718f3ef0384fec3e67f98b2faef2832f7c7ee5b40a6027ffb1599a93048424b67c6b1c4f1ebe55853a489bf45ddb75 |