Malware Analysis Report

2024-10-24 17:02

Sample ID 240619-ys1rysyhre
Target 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118
SHA256 6a552dc09ebd93d33e54831a3d0d1951b838a79df1e2d7c6fc73a1bbcb515ce4
Tags
gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a552dc09ebd93d33e54831a3d0d1951b838a79df1e2d7c6fc73a1bbcb515ce4

Threat Level: Known bad

The file 0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat rat

Gh0strat family

Gh0st RAT payload

Gh0strat

Loads dropped DLL

Deletes itself

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 20:03

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 20:03

Reported

2024-06-19 20:06

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 818771.3322.org udp
US 8.8.8.8:53 818771.3322.org udp
US 8.8.8.8:53 818771.3322.org udp

Files

C:\2950100.dll

MD5 756629819676fecd59d410cbd7e63ed2
SHA1 a774b4a83ecea402c90665c8de0875f2b6eebb1e
SHA256 598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226
SHA512 8022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989

\??\c:\program files (x86)\bwxy\gwxyabcde.gif

MD5 cb764cb38be5290fac82d044633034e4
SHA1 5ff539693ba7664bb7551d2560187807de94401c
SHA256 793ff674e5dc233df1955043e82f44692dbcaf6939c24d326810340e215ecc6e
SHA512 2c9e2bb952ddc843c3cabdaf8652ceec2593f1e0bac7f480b8fb94e28fe7e641b587ac3cd9e6cd523935a16cc67039ef255bce916e294e5396c0863aed2b7d67

C:\WinWall32.gif

MD5 2c5cc22f8309bf5748f3ecaa4d9c2f44
SHA1 3d0f86e7818e0f7ecc44ec71e915b6764d005812
SHA256 3da8012a44195f6dc84cd220f229b09332836c40a7ab6e3ec062431fb2a421f3
SHA512 2f7630eb2e2ff714efeab1fd4f017738bb732560e118ad8f78592dc2563c478ecbc2048bced898a8e0f89fa7d5bd7b5138ed2b9cb573778fb13d3d6a36752dc5

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 20:03

Reported

2024-06-19 20:06

Platform

win7-20240419-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0041e68c1e6e5894f3257688e898e8e8_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 818771.3322.org udp

Files

C:\Program Files (x86)\Bwxy\Gwxyabcde.gif

MD5 f065dfec0f0f7433f7db441053cfedd0
SHA1 1de022600cef1d2c0f1de30ed712176302953fcb
SHA256 69dccb4b21ff42c305f02dfa1b4031df51caf1fbcbfd5740e2401e3d759b4ddb
SHA512 0bd0062aea8887de7446dce1a8227e7abbdf30744c811cef3e12878512a8e1ca837a6bafe34dcd44a061d588460818315345a0b47a1ccdf760630f4fce00a9fe

\??\c:\program files (x86)\bwxy\gwxyabcde.gif

MD5 2433c2f3efd9c757dc48bc8ae4bb9672
SHA1 dae03ca287ebf8f8ff81b65ff2f7f357e4008d4f
SHA256 e34e859b38d8fc50ddfee9081e20634c7ba9718c3cbe8c4cfaf52c5bc47dfe57
SHA512 99b25d3377e0b7f2b051b4cff06e765f4b6aae19896782ff2621076792dd4a53a61158052a389dfc0f40d5f9d066db1e553aad9a8e769de3625f3a7dca07b41f

memory/2052-9-0x0000000010000000-0x0000000010028000-memory.dmp

C:\2898300.dll

MD5 756629819676fecd59d410cbd7e63ed2
SHA1 a774b4a83ecea402c90665c8de0875f2b6eebb1e
SHA256 598f949ae3d4007255c55c737eb61523007c49186da603104c4d824c8f6ad226
SHA512 8022f0b383278fd744de569a149e9eef3395232a2f5762b2b66c5a8a788d1afb2147d2de58a11d58b35424e9469a1b238884b716efe53f1a05d11df1acaa2989

C:\WinWall32.gif

MD5 e5ebe7ae0c59b2bbb1afa726567db18b
SHA1 3be1443373a20a1ecee46d1c133222c28b492e86
SHA256 62abdd99f21f2a944dca412a0b691d6f652d0c50df28dc29c0fb96bb536e8a89
SHA512 725504210eabf5d60a3825a5dc6b5feba4718f3ef0384fec3e67f98b2faef2832f7c7ee5b40a6027ffb1599a93048424b67c6b1c4f1ebe55853a489bf45ddb75