Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-eekc9syfrg
Target 051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118
SHA256 12f29fe2dbd97fe488787f4a7c76cccd7094c449b3b22bd8636c0180400432e1
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12f29fe2dbd97fe488787f4a7c76cccd7094c449b3b22bd8636c0180400432e1

Threat Level: Known bad

The file 051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 03:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 03:51

Reported

2024-06-23 03:53

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tlehvejoqv C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\gdikkpcexe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\gdikkpcexe

"C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\051fadfc40f7fe8e365bf3eb694e8b02_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 qup.f.360.cn udp
US 8.8.8.8:53 www.163.com udp
US 8.8.8.8:53 u.qurl.f.360.cn udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 qurl.qh-lb.com udp
US 8.8.8.8:53 qup.qh-lb.com udp
US 8.8.8.8:53 sdup.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 sdupm.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 udp

Files

memory/848-1-0x0000000000400000-0x000000000044E344-memory.dmp

memory/848-2-0x0000000000030000-0x0000000000031000-memory.dmp

\Users\Admin\AppData\Local\gdikkpcexe

MD5 e5bd3428077ac4e437e68c5647a0afec
SHA1 fec001d13ee63cf048a93c2f773abac2461d2ebd
SHA256 810beba06a0537ab0e48f7bc632205e2634e03c4121c0b22fd3584e01344a608
SHA512 8a0181379559c3a0cfd32fe39e7fa5044faafffdff831bba26383d35b73e0756f43c6dee68334f412d77ff8c120ea0f26e73355c1a8d080e2fc90ce5a5741ce0

memory/848-6-0x0000000000280000-0x00000000002CF000-memory.dmp

memory/1716-17-0x0000000000030000-0x0000000000031000-memory.dmp

memory/1716-16-0x0000000000400000-0x000000000044E344-memory.dmp

memory/848-13-0x0000000000400000-0x000000000044E344-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\mmwci.cc3

MD5 93d18f6d4183784d82028c1ad38a4696
SHA1 be25f5808377823f1cd772c903bd64befc398deb
SHA256 6bc07523935d1676d00833a04d77295c4e34bed058d1a32800d94725be22fe11
SHA512 c17b2803d7fbd5a37a351c6947fc36e317588ab420462ec0ef367d34d4e81a6fb5d3a590cfe457de08b3bf08d23dc3a742bb6d02bf0d9227b69537d60e0fae22

memory/1716-22-0x0000000000400000-0x000000000044E344-memory.dmp

memory/2328-23-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 03:51

Reported

2024-06-23 03:53

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\byrintwytx N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\byrintwytx N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tquqsesifd C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\tyjkbhvgsy C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\tyapaqdygk C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\tpcbpwiuga C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\byrintwytx N/A
N/A N/A \??\c:\users\admin\appdata\local\byrintwytx N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\byrintwytx N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\byrintwytx N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\byrintwytx N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\byrintwytx N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\byrintwytx

"C:\Users\Admin\AppData\Local\Temp\051fadfc40f7fe8e365bf3eb694e8b02_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\051fadfc40f7fe8e365bf3eb694e8b02_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1100

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1104

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/1504-0-0x0000000000400000-0x000000000044E344-memory.dmp

memory/1504-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1504-4-0x0000000000400000-0x000000000044E344-memory.dmp

C:\Users\Admin\AppData\Local\byrintwytx

MD5 62dce4976e728323007b289c3eee51f4
SHA1 3bca65fd0de140d03ca268efa13d0b4fd4903bb6
SHA256 a964e1a8ad5cc7808f62c3d1b4eccb6091d1799f4aa047a65b30022869ac2541
SHA512 b848287e2e126eac329a7a396293f7060f011439477f8b9ffa26c0b603198c34aa6f89344e68ad1e72274a0fec6c3b5d89e2dda47a4302edb59c0da2649e8497

memory/3708-7-0x0000000000400000-0x000000000044E344-memory.dmp

memory/3708-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3708-14-0x0000000000400000-0x000000000044E344-memory.dmp

C:\ProgramData\Storm\update\%SESSIONNAME%\soduj.cc3

MD5 ef89a8450a695d88f1dcd753f672b8fd
SHA1 8307f9074eb31fa090d83989fb128f478d8f6ada
SHA256 740cfa68cd7d834834293404cba2bd5ac52300ac3a489af432aa2ad9803fe303
SHA512 17909c1b58d2347a0d90178d300492a38cf3e8ddc87ea782b4d509924ab21b24856578786029eb42803ea0f8adb3b7038aacc31affde34f730d373e1704aa1ed

memory/2728-18-0x00000000019F0000-0x00000000019F1000-memory.dmp

memory/2728-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4436-22-0x0000000001E80000-0x0000000001E81000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 82ef4f42a3099ce8a56943a92a41d3e9
SHA1 19ebc7aea4461bb2f3c0d951295ec18f38e5fd55
SHA256 34f094927298d48587c55b5fd259327058fb38c0231304c817b75ee543f47508
SHA512 1809a6592a280add0cb06c41c9e4ce0a7d34934cccaa153ee6b29593ef65580365a45abfdcdd4e9136514a7976eac98c5d3a4551cba5590f8bfd928a8234b067

memory/4436-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4092-27-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 6f9d7c4ca63d11fb8f1b32b893c6ed29
SHA1 0f708c1926df23c782bf636f061388bd7df1d70b
SHA256 ea1976aad4b19f624ccc06f8d69d112e0386e705af32461ae7b364cd4ff0c435
SHA512 1bf19ee1b57dcbc97e4e770deb7a1b9e1efa7a370932a7805a4e35202bd309370b4ca631b6368c25b6a042b5b7eaf32522e03f8aa8e81b015c5e90ab4e908f87

memory/4092-30-0x0000000020000000-0x0000000020027000-memory.dmp