Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-edp75asflq
Target 051ed64c364b0b540b66df51ad7e7011_JaffaCakes118
SHA256 2f5d05466356092eed4d9226074e4f217cc340c603432b9a6affd544da3ad50c
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f5d05466356092eed4d9226074e4f217cc340c603432b9a6affd544da3ad50c

Threat Level: Known bad

The file 051ed64c364b0b540b66df51ad7e7011_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Server Software Component: Terminal Services DLL

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 03:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 03:49

Reported

2024-06-23 03:52

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityapi.dll" C:\Windows\SysWOW64\REO0.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityapi.dll" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A C:\Windows\SysWOW64\REO0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityapi.dll \??\c:\windows\kks\server.exe N/A
File created C:\Windows\SysWOW64\REO0.exe \??\c:\windows\kks\server.exe N/A
File opened for modification C:\Windows\SysWOW64\REO0.exe \??\c:\windows\kks\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\kks\Server.exe C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A
File created \??\c:\windows\dkkk.ini C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A
File created \??\c:\windows\kks\kkk.zip C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\kks\Server.exe C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2212 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2100 wrote to memory of 2548 N/A \??\c:\windows\kks\server.exe \??\c:\windows\kks\server.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe
PID 2548 wrote to memory of 2732 N/A \??\c:\windows\kks\server.exe C:\Windows\SysWOW64\REO0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe"

\??\c:\windows\kks\server.exe

c:\windows\kks\server.exe

\??\c:\windows\kks\server.exe

c:\windows\kks\server.exe

C:\Windows\SysWOW64\REO0.exe

REO0 ADD HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FastUserSwitchingCompatibility\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\FastUserSwitchingCompatibilityapi.dll" /f

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 niceiscoolx.gicp.net udp
CN 117.92.144.154:82 niceiscoolx.gicp.net tcp

Files

\Windows\kks\Server.exe

MD5 305b20c5f19e50c11f3f0b99d49b2f4d
SHA1 650ccd70bbfb385cb81307b2f8e421968eabcf9c
SHA256 4696a3e134623c94a200f75ff2a6fd350d3a098fdea843e3226658d55e39e723
SHA512 3eaee4c8c64c282ddf0f01b91618078d1e433d31da4853d8f6396fcaa4195e6c512447c0330aaa7aba7b60f5666707a46b1f6dd56ca1e0fd4c6ba4b5c2d482c6

memory/2212-8-0x0000000000600000-0x0000000000629000-memory.dmp

memory/2100-12-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2100-17-0x00000000001C0000-0x00000000001E9000-memory.dmp

memory/2100-18-0x00000000001C0000-0x00000000001E9000-memory.dmp

\Windows\SysWOW64\REO0.exe

MD5 d69a9abbb0d795f21995c2f48c1eb560
SHA1 8bd131b03d6ba865b228ca8ee3239d2ef2b90b74
SHA256 36414c7e57afa6136d77fd47f4c55102e35f2475fbcd719728da7d14b1590e2a
SHA512 06421bb7a363e938ef7d15c44bce9c92004df957f64652d4288246b229bdd61a39997fda40c999e601c87054c3fe12c5fbef4f6b11420cd08b8a5fe84c9be5b8

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityapi.dll

MD5 1c699f7f8ce6d7962322eee963ce442a
SHA1 5c1ce35c07029af433f05425f0568d5b5cb3ec89
SHA256 b29e3185c109b8c59178ac7898bf3624f3e4123b32adf8cab87fe4041ab57dd6
SHA512 c7b08e05fe8ffdbaa23b6d6311702519a32d221aeca1d4c221b32808f33f1568d36050096d786541412ca9de16de475db9a489c3e266749bfefdc5439e00b5ca

memory/2528-36-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2548-37-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2100-38-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 03:49

Reported

2024-06-23 03:52

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityapi.dll" C:\Windows\SysWOW64\REO0.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityapi.dll" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A \??\c:\windows\kks\server.exe N/A
N/A N/A C:\Windows\SysWOW64\REO0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityapi.dll \??\c:\windows\kks\server.exe N/A
File created C:\Windows\SysWOW64\REO0.exe \??\c:\windows\kks\server.exe N/A
File opened for modification C:\Windows\SysWOW64\REO0.exe \??\c:\windows\kks\server.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\kks\kkk.zip C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\kks\Server.exe C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A
File created \??\c:\windows\kks\Server.exe C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A
File created \??\c:\windows\dkkk.ini C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\051ed64c364b0b540b66df51ad7e7011_JaffaCakes118.exe"

\??\c:\windows\kks\server.exe

c:\windows\kks\server.exe

\??\c:\windows\kks\server.exe

c:\windows\kks\server.exe

C:\Windows\SysWOW64\REO0.exe

REO0 ADD HKEY_LOCAL_MACHINE\system\currentcontrolset\services\FastUserSwitchingCompatibility\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\FastUserSwitchingCompatibilityapi.dll" /f

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 niceiscoolx.gicp.net udp
CN 117.92.144.154:82 niceiscoolx.gicp.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

\??\c:\windows\kks\server.exe

MD5 305b20c5f19e50c11f3f0b99d49b2f4d
SHA1 650ccd70bbfb385cb81307b2f8e421968eabcf9c
SHA256 4696a3e134623c94a200f75ff2a6fd350d3a098fdea843e3226658d55e39e723
SHA512 3eaee4c8c64c282ddf0f01b91618078d1e433d31da4853d8f6396fcaa4195e6c512447c0330aaa7aba7b60f5666707a46b1f6dd56ca1e0fd4c6ba4b5c2d482c6

memory/4948-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3560-9-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\SysWOW64\REO0.exe

MD5 cdd462e86ec0f20de2a1d781928b1b0c
SHA1 f24d851fe8024ce9804da6b540c588bc38a5bfaf
SHA256 224a746aee2957c3fca376f4457cfc044c1ec99e75756195b27cab396174e2db
SHA512 8f3a63615fcc9f3eea9ea2ef59e9ca33843159c0a3c7a259b84527debd6d464d54f531ffb61f0ee33065154b72cd6618594eb812e70c20c4f86997e70dd0aeec

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityapi.dll

MD5 1c699f7f8ce6d7962322eee963ce442a
SHA1 5c1ce35c07029af433f05425f0568d5b5cb3ec89
SHA256 b29e3185c109b8c59178ac7898bf3624f3e4123b32adf8cab87fe4041ab57dd6
SHA512 c7b08e05fe8ffdbaa23b6d6311702519a32d221aeca1d4c221b32808f33f1568d36050096d786541412ca9de16de475db9a489c3e266749bfefdc5439e00b5ca

memory/1452-20-0x0000000010000000-0x000000001001E000-memory.dmp

memory/4948-21-0x0000000000400000-0x0000000000429000-memory.dmp