Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-cqzwzszcmn
Target 04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118
SHA256 5a9ea3019116fb59ecd591dacfa42e6cc314e4c82f5d9bda28b230d4e408a181
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a9ea3019116fb59ecd591dacfa42e6cc314e4c82f5d9bda28b230d4e408a181

Threat Level: Known bad

The file 04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat family

Gh0strat

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 02:17

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 02:17

Reported

2024-06-23 02:20

Platform

win7-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityupt.dll" C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SVCHoST.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SVCHoST.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SVCHoST.EXE N/A
N/A N/A C:\Windows\SysWOW64\SVCHoST.EXE N/A
N/A N/A C:\Windows\SysWOW64\SVCHoST.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe"

C:\Windows\SysWOW64\SVCHoST.EXE

C:\Windows\SysWOW64\SVCHoST.EXE -K NETSVcS

Network

Country Destination Domain Proto
US 8.8.8.8:53 feifei999.3322.org udp
US 8.8.8.8:53 feifei999.3322.org udp

Files

memory/2956-0-0x0000000000400000-0x000000000041E000-memory.dmp

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityupt.dll

MD5 0d9b5aab789200f66d6f382054fb1f2a
SHA1 e434e03daeded995b89063fa23d8e5305cf02ec0
SHA256 47d3444e9c95b6e22cc3d37377244bcf9f7b452c07b5a12be311c22b51f5ce98
SHA512 8a94be66ee8d993967a42c6318c057f0b8659be6539fbd040656e491a1ca2b7dfc82d3c9c6868c9396ca89a413b4f6ecb260d4849d1b3e287e57ce7fecd67378

memory/2196-6-0x0000000010000000-0x000000001001C000-memory.dmp

memory/2956-5-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 02:17

Reported

2024-06-23 02:20

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Processes

C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3844-0-0x0000000000400000-0x000000000041E000-memory.dmp