Malware Analysis Report

2025-01-22 14:31

Sample ID 240623-c14ypazfqm
Target 04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118
SHA256 ccaa93e8a5c1cb535eeac8508f3900afc6ad31640a63b45e1c803c5cdd3cfae0
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccaa93e8a5c1cb535eeac8508f3900afc6ad31640a63b45e1c803c5cdd3cfae0

Threat Level: Known bad

The file 04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Loads dropped DLL

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Program crash

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 02:33

Reported

2024-06-23 02:36

Platform

win7-20240611-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\maolan.exe N/A
N/A N/A C:\Documents and Settings\qiuqi1.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\Common Files\maolan.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\maolan.exe C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\xxxooo.bat C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\maolan.dll C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\xxxooo.dll C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\maolan.exe C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Common Files\maolan.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Common Files\maolan.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32 C:\Documents and Settings\qiuqi1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Documents and Settings\qiuqi1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC} C:\Documents and Settings\qiuqi1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\maolan.exe N/A
N/A N/A C:\Program Files\Common Files\maolan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Program Files\Common Files\maolan.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 1936 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Documents and Settings\qiuqi1.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2712 N/A C:\Documents and Settings\qiuqi1.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe"

C:\Program Files\Common Files\maolan.exe

"C:\Program Files\Common Files\maolan.exe" "C:\Program Files\Common Files\maolan.dll" ServiceMain

C:\Documents and Settings\qiuqi1.exe

"C:\Documents and Settings\qiuqi1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c del C:\DOCUME~1\qiuqi1.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c del C:\Users\Admin\AppData\Local\Temp\04EBAA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.pk39.com udp
HK 47.56.70.142:1912 www.pk39.com tcp
HK 47.56.70.142:1912 www.pk39.com tcp

Files

memory/1936-0-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1936-1-0x00000000008A0000-0x0000000000919000-memory.dmp

memory/1936-2-0x00000000008A0000-0x0000000000919000-memory.dmp

memory/1936-3-0x0000000000610000-0x000000000064E000-memory.dmp

memory/1936-4-0x0000000000610000-0x000000000064E000-memory.dmp

memory/1936-5-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1936-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1936-8-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1936-6-0x0000000000400000-0x0000000000479000-memory.dmp

\Program Files\Common Files\maolan.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Program Files\Common Files\maolan.dll

MD5 2d3a6610f22ead274774a93e741628aa
SHA1 e331b6c2515652d2e8894c6fc296d84939778f03
SHA256 b33657076ead5d258a354d814ee9a47f70ad25ed99063ebf7863ec8ecacdfac5
SHA512 d2a3a528d77c78cf2b35f9f3740645612341ac0a60cba1b0e3f2d63d04ae46fe281bc4767a0ca5270a3b051b5d18b9f410e4cbbf3823fab9cd7cd32ee2ee32d4

memory/840-26-0x0000000020000000-0x0000000020027000-memory.dmp

memory/1936-27-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1936-28-0x00000000008A0000-0x0000000000919000-memory.dmp

memory/1936-30-0x0000000000610000-0x000000000064E000-memory.dmp

\Users\qiuqi1.exe

MD5 2488f376d2032274ed85bd5a15a01f23
SHA1 6277efbbd24192e23d78928ce01c85711269a52a
SHA256 0f8fee3c5fe6ad6b49e8944289ebe870fe61f7f99e24fa722a31d74fe97c8a40
SHA512 b11dd3e8a428afc8475041eb33b8fc114530d3bc137140cdd0cfb54749ee48f8ff5f5635d466da4f9e57abd34f817b9f4a2da70f96b4f23aca9fd2014bf890ce

memory/1936-34-0x0000000000660000-0x0000000000666000-memory.dmp

memory/2744-36-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2744-42-0x0000000000020000-0x0000000000026000-memory.dmp

memory/2744-41-0x0000000000020000-0x0000000000026000-memory.dmp

memory/1936-43-0x0000000000610000-0x000000000064E000-memory.dmp

memory/1936-44-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2744-45-0x0000000000400000-0x0000000000406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 02:33

Reported

2024-06-23 02:36

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04ebaac77b2ff4a87f0a19bbbeb0c2ee_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 316

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4996-0-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4996-1-0x0000000000590000-0x00000000005CE000-memory.dmp

memory/4996-4-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4996-8-0x0000000000401000-0x0000000000402000-memory.dmp

memory/4996-7-0x0000000002100000-0x0000000002101000-memory.dmp

memory/4996-6-0x00000000020F0000-0x00000000020F2000-memory.dmp

memory/4996-5-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/4996-2-0x0000000000590000-0x00000000005CE000-memory.dmp

memory/4996-3-0x0000000000400000-0x0000000000479000-memory.dmp

memory/4996-9-0x0000000000590000-0x00000000005CE000-memory.dmp

memory/4996-11-0x0000000000400000-0x0000000000479000-memory.dmp