Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-ew3aeatbpj
Target 052daea066d845b830749b878c0dec81_JaffaCakes118
SHA256 8542508623ae4ab5cae78fd053832a2c8696b6d1135f811436b79817ef467475
Tags
gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8542508623ae4ab5cae78fd053832a2c8696b6d1135f811436b79817ef467475

Threat Level: Known bad

The file 052daea066d845b830749b878c0dec81_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat rat

Gh0strat

Gh0st RAT payload

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 04:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 04:18

Reported

2024-06-23 04:20

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 ws241746787.3322.org udp

Files

memory/1916-0-0x0000000000400000-0x0000000000756000-memory.dmp

memory/1916-2-0x0000000000400000-0x0000000000756000-memory.dmp

\Users\temp2.gif

MD5 0bad62ca207558293400bcff1e7efc15
SHA1 410592579ebc959e5a501e33703a7b60151f2013
SHA256 d00408a6cebc940106c3ecf8c3b72b2556de37dfa3e93e877438adf78e577c82
SHA512 26dee384227d279cda66ab650973bfd6f3f51cd2fbec5385b73e461f01f1292465fb7e7fac6e069864f1177c754cbecf9ac267502eefba1cb91b2c5de623f1fb

C:\Program Files (x86)\Bwxy\Gwxyabcde.gif

MD5 dca2141d590fde8ddfc866bd16639947
SHA1 70eb4097d481e1d62959e80aefb3390e763d97d4
SHA256 c6c5900648ace58958a5c8f61a78e5c0e372cf65f8111a88378b5f8f4dd9f400
SHA512 35af9fb2c9bb11ed6751d6efa4baff690d4286c6c77bb50ab74d6d0e134fc6aeb2a9d0d846ef9dc3cbb90d788772155ad4e853783b00a610853c43d2c4ea3a45

\??\c:\program files (x86)\bwxy\gwxyabcde.gif

MD5 4f493de5d5cb0612453a3cec5a40b7b1
SHA1 b6b4f5099fb40fd9b00a323979226bd9b224768a
SHA256 66cf6ad2cdc3f10e13a68b8604364c3303eac8dd75528986349af5a0daa26ebb
SHA512 7b32b142c5403e7d143eaaf5bd386750cb6bd6be1b97266a92cdad4e6eaf2e0886ac4707a43d998268605ba908e8b4faef2067952cbc2c410043b2d8c55fed3c

memory/1916-13-0x0000000000400000-0x0000000000756000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 04:18

Reported

2024-06-23 04:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Bwxy\Gwxyabcde.gif C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 ws241746787.3322.org udp
US 8.8.8.8:53 ws241746787.3322.org udp
US 8.8.8.8:53 ws241746787.3322.org udp

Files

memory/3288-0-0x0000000000400000-0x0000000000756000-memory.dmp

memory/3288-2-0x0000000000400000-0x0000000000756000-memory.dmp

C:\Users\temp2.gif

MD5 0bad62ca207558293400bcff1e7efc15
SHA1 410592579ebc959e5a501e33703a7b60151f2013
SHA256 d00408a6cebc940106c3ecf8c3b72b2556de37dfa3e93e877438adf78e577c82
SHA512 26dee384227d279cda66ab650973bfd6f3f51cd2fbec5385b73e461f01f1292465fb7e7fac6e069864f1177c754cbecf9ac267502eefba1cb91b2c5de623f1fb

\??\c:\program files (x86)\bwxy\gwxyabcde.gif

MD5 a9cd68cd2e53d1c7357d38ec78ce8e1d
SHA1 bebf68f9d326f40e197201a528b8453620dd97f6
SHA256 f333439a3795f6d55ea1a56644baedcee870b756567b407f0f17c0b40ad84fa2
SHA512 49dabc2484845a039ac812f62479a2cd8df2d2b5b367d7ff02725c1fad3f4bb08b0cc101c182b8370f4bab7740f46c07219eb04d165bb1870d760e09cb657572

memory/3288-15-0x0000000000400000-0x0000000000756000-memory.dmp