Analysis Overview
SHA256
532c82a91ede78977c08d886a7354798ba4a7b80c4fd4ac44ec7cd8afecfdc4a
Threat Level: Known bad
The file 0533ab1ea36eea793f0674608f364c9d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Gh0strat
Adds Run key to start application
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 04:29
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 04:29
Reported
2024-06-23 04:32
Platform
win7-20240611-en
Max time kernel
150s
Max time network
129s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\:\WINDOWS\Temp\svchast.exe 202462342932.exe = "C:\\WINDOWS\\Temp\\svchast.exe 202462342932.exe" | C:\Users\Admin\AppData\Local\Temp\0533ab1ea36eea793f0674608f364c9d_JaffaCakes118.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0533ab1ea36eea793f0674608f364c9d_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0533ab1ea36eea793f0674608f364c9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0533ab1ea36eea793f0674608f364c9d_JaffaCakes118.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Ksafetray.exe
C:\WINDOWS\Temp\svchast.exe 202462342932.exe
"C:\WINDOWS\Temp\svchast.exe 202462342932.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Ksafetray.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zhangjiangang.2288.org | udp |
Files
memory/1808-0-0x0000000000400000-0x0000000000421000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 04:29
Reported
2024-06-23 04:32
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
129s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\0533ab1ea36eea793f0674608f364c9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0533ab1ea36eea793f0674608f364c9d_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.242.123.52.in-addr.arpa | udp |