Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-eajk6ssemm
Target 051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118
SHA256 a755b29a5601cb4ca2cd258d53fff912c140f2534e7ec0fd64a053463ba95ea8
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a755b29a5601cb4ca2cd258d53fff912c140f2534e7ec0fd64a053463ba95ea8

Threat Level: Known bad

The file 051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 03:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 03:44

Reported

2024-06-23 03:46

Platform

win7-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sjaxkjclyk C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ffnppmjgel N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ffnppmjgel

"C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\051ba0cfe925e4843ab789f1b56f1359_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
KR 59.24.3.174:889 bibo9.8800.org tcp
US 8.8.8.8:53 bibo9.8800.org udp
IT 93.46.8.90:889 bibo9.8800.org tcp

Files

memory/1936-0-0x0000000000400000-0x000000000044E478-memory.dmp

memory/1936-2-0x0000000000030000-0x0000000000031000-memory.dmp

\Users\Admin\AppData\Local\ffnppmjgel

MD5 4906ba0c90339614ec5d39dfdca60017
SHA1 84b2b5ca4ecea22c8bde07f39c396973e1938616
SHA256 30f619cf887887dbe3fe4616cad387d46d9d1a385fce7c4fed268a3f99d96bff
SHA512 06bc2f91c1378d3b04fd260967352166ba4816b65e2e451afe96ad0e6b229acfc570ae7c743fa3a557c27e28b2740b6d0be69a94c05c8a324ba141bd852dddc5

memory/1936-7-0x00000000002B0000-0x00000000002FF000-memory.dmp

memory/1944-18-0x0000000000030000-0x0000000000031000-memory.dmp

memory/1944-17-0x0000000000400000-0x000000000044E478-memory.dmp

memory/1936-16-0x0000000000400000-0x000000000044E478-memory.dmp

memory/1936-14-0x00000000002B0000-0x00000000002FF000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\ylwvk.cc3

MD5 ce49dfd77f35b1f0a0a5998a9dad594c
SHA1 341a5a50fdf2249f0ea7c6d517f4f5b8c729d3e2
SHA256 f8c749bf04c18c82e563000b1edf7d2e4638846f6a397c03b732312df4dcff50
SHA512 e24791ec27c6867b4fb00c30f27e1e8c871275a4d6587440c7885aa10f8ca9c2e7649da143f0fb8f8a368bf7cf06d9665153a15ee0b0e34b71e83d4645f21382

memory/1944-23-0x0000000000400000-0x000000000044E478-memory.dmp

memory/2756-24-0x00000000000D0000-0x00000000000D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 03:44

Reported

2024-06-23 03:46

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sjqdisjemu C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\srfwqvmcaq C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\satpyyoaml C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A
N/A N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ndehmvpdxc N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ndehmvpdxc

"C:\Users\Admin\AppData\Local\Temp\051ba0cfe925e4843ab789f1b56f1359_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\051ba0cfe925e4843ab789f1b56f1359_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1084

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3092 -ip 3092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 844

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 816

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.f.360.cn udp

Files

memory/4828-1-0x0000000000400000-0x000000000044E478-memory.dmp

memory/4828-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\ndehmvpdxc

MD5 bdffce84e5bcbb6ca498e74cf0c179b5
SHA1 5a42f59970030f994174b5d4969db70094793b57
SHA256 fbba94a4b73559c5625548bae2eaaff835b239b105188efd913e47b469936a46
SHA512 5d5afb429970a343655f5cb0245c3fcd75f375ad662682461e870a4da3f3ab919d21f60bd4a8371f447cde2b03ac5fcaa906044c17cf54f9199d2eb1783a3ec3

memory/4580-12-0x0000000000400000-0x000000000044E478-memory.dmp

memory/4580-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/4828-8-0x0000000000400000-0x000000000044E478-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\effie.cc3

MD5 1ee8fcc28658c33e5445c8ef9064847b
SHA1 fc438e104e07991cea05c720c3e8842fe8a79b1e
SHA256 fe93567ce4bb05f9d1138858aa913b143fb58d11e04b2d64b9c6ee368b08bea8
SHA512 eb701b9a668fb5f0e714e65caa30f6a2761144c1d6e106696ea538c67c59823344b9a1911a2f2935a2fca74b5701e19693d1caddb3c81b9f732501db3b37bc03

memory/4580-17-0x0000000000400000-0x000000000044E478-memory.dmp

memory/1624-18-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/1624-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/3092-22-0x00000000018C0000-0x00000000018C1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 e2679efda809400245fdcc1b63d6ff2d
SHA1 0d397709587dcefc43cb8be2cfd850f8b874446a
SHA256 68f5dfec85cca77cd31f7d01e8de9855e45ba34cc85afe5b47c877c37ef337f2
SHA512 8d24600515207071a8b93cb9a4f3acf904286308090aea10ad5ae465613d9adfb9bbad5ba7edc9234c7de883104b547707831f812e1658b1fc6457b320dd216b

memory/3092-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/952-27-0x0000000001A90000-0x0000000001A91000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 b617ffde0cd3a6522888792430bcc21a
SHA1 350820113849407064c5456c505ccd3e56e32e5e
SHA256 bf7511fa919e4ec2a769654ce2b96f371e034c4168fed318f4e4b40635401603
SHA512 e4a06577201218cf5fcaf5e5a4dd3764d90b605080fdb94c917e26f972b5eddf1e56d26bf999ba7f8b311aa26c4bcc4af9769ff9ed53052b8c06b9281f10186b

memory/952-30-0x0000000020000000-0x0000000020027000-memory.dmp