Malware Analysis Report

2025-01-22 14:31

Sample ID 240623-b5b8ssvcng
Target 04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118
SHA256 f915c69847bca10f1e67339fcf45eeb3bd1b1a76fe2cd24586e0ee11cd2be6a1
Tags
gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f915c69847bca10f1e67339fcf45eeb3bd1b1a76fe2cd24586e0ee11cd2be6a1

Threat Level: Known bad

The file 04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat rat

Gh0st RAT payload

Gh0strat family

Gh0strat

Unsigned PE

Program crash

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 01:43

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 01:43

Reported

2024-06-23 01:45

Platform

win7-20240508-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 164

Network

N/A

Files

memory/1936-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1936-1-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 01:43

Reported

2024-06-23 01:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04c76ea7c3bc3b8a1b35179910dc12a1_JaffaCakes118.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/812-0-0x0000000000400000-0x0000000000421000-memory.dmp

\??\c:\users\admin\appdata\roaming\microsoft\windows\templates\ver.dll

MD5 9793623e4931e16384c58a0cebb0835f
SHA1 f32e24effb1e0c8f03a76d0e7f26612abd4975b1
SHA256 f3019b4106c0ae396321cd27251a9f49e75670d392777fa06fa09dedb2f597b5
SHA512 fa701aaff9a655037a057c2bbe68f699eb7859ccbe2ad0da2b85fb1b54bdb663e1a2c3e1110d73da9cfb1b4779c7bb5649d050d03103be1833afb4b1abde08b9

memory/812-4-0x0000000000400000-0x0000000000421000-memory.dmp