Analysis Overview
SHA256
5a9ea3019116fb59ecd591dacfa42e6cc314e4c82f5d9bda28b230d4e408a181
Threat Level: Known bad
The file 04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Gh0strat
Server Software Component: Terminal Services DLL
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 02:17
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 02:17
Reported
2024-06-23 02:20
Platform
win7-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityupt.dll" | C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SVCHoST.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SVCHoST.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SVCHoST.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SVCHoST.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SVCHoST.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe"
C:\Windows\SysWOW64\SVCHoST.EXE
C:\Windows\SysWOW64\SVCHoST.EXE -K NETSVcS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | feifei999.3322.org | udp |
| US | 8.8.8.8:53 | feifei999.3322.org | udp |
Files
memory/2956-0-0x0000000000400000-0x000000000041E000-memory.dmp
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityupt.dll
| MD5 | 0d9b5aab789200f66d6f382054fb1f2a |
| SHA1 | e434e03daeded995b89063fa23d8e5305cf02ec0 |
| SHA256 | 47d3444e9c95b6e22cc3d37377244bcf9f7b452c07b5a12be311c22b51f5ce98 |
| SHA512 | 8a94be66ee8d993967a42c6318c057f0b8659be6539fbd040656e491a1ca2b7dfc82d3c9c6868c9396ca89a413b4f6ecb260d4849d1b3e287e57ce7fecd67378 |
memory/2196-6-0x0000000010000000-0x000000001001C000-memory.dmp
memory/2956-5-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 02:17
Reported
2024-06-23 02:20
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Processes
C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04e14815fabdf57e203868a4bc1acdf7_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/3844-0-0x0000000000400000-0x000000000041E000-memory.dmp