Analysis Overview
SHA256
8542508623ae4ab5cae78fd053832a2c8696b6d1135f811436b79817ef467475
Threat Level: Known bad
The file 052daea066d845b830749b878c0dec81_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-23 04:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 04:18
Reported
2024-06-23 04:20
Platform
win7-20240611-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ws241746787.3322.org | udp |
Files
memory/1916-0-0x0000000000400000-0x0000000000756000-memory.dmp
memory/1916-2-0x0000000000400000-0x0000000000756000-memory.dmp
\Users\temp2.gif
| MD5 | 0bad62ca207558293400bcff1e7efc15 |
| SHA1 | 410592579ebc959e5a501e33703a7b60151f2013 |
| SHA256 | d00408a6cebc940106c3ecf8c3b72b2556de37dfa3e93e877438adf78e577c82 |
| SHA512 | 26dee384227d279cda66ab650973bfd6f3f51cd2fbec5385b73e461f01f1292465fb7e7fac6e069864f1177c754cbecf9ac267502eefba1cb91b2c5de623f1fb |
C:\Program Files (x86)\Bwxy\Gwxyabcde.gif
| MD5 | dca2141d590fde8ddfc866bd16639947 |
| SHA1 | 70eb4097d481e1d62959e80aefb3390e763d97d4 |
| SHA256 | c6c5900648ace58958a5c8f61a78e5c0e372cf65f8111a88378b5f8f4dd9f400 |
| SHA512 | 35af9fb2c9bb11ed6751d6efa4baff690d4286c6c77bb50ab74d6d0e134fc6aeb2a9d0d846ef9dc3cbb90d788772155ad4e853783b00a610853c43d2c4ea3a45 |
\??\c:\program files (x86)\bwxy\gwxyabcde.gif
| MD5 | 4f493de5d5cb0612453a3cec5a40b7b1 |
| SHA1 | b6b4f5099fb40fd9b00a323979226bd9b224768a |
| SHA256 | 66cf6ad2cdc3f10e13a68b8604364c3303eac8dd75528986349af5a0daa26ebb |
| SHA512 | 7b32b142c5403e7d143eaaf5bd386750cb6bd6be1b97266a92cdad4e6eaf2e0886ac4707a43d998268605ba908e8b4faef2067952cbc2c410043b2d8c55fed3c |
memory/1916-13-0x0000000000400000-0x0000000000756000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 04:18
Reported
2024-06-23 04:20
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Bwxy\Gwxyabcde.gif | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\052daea066d845b830749b878c0dec81_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ws241746787.3322.org | udp |
| US | 8.8.8.8:53 | ws241746787.3322.org | udp |
| US | 8.8.8.8:53 | ws241746787.3322.org | udp |
Files
memory/3288-0-0x0000000000400000-0x0000000000756000-memory.dmp
memory/3288-2-0x0000000000400000-0x0000000000756000-memory.dmp
C:\Users\temp2.gif
| MD5 | 0bad62ca207558293400bcff1e7efc15 |
| SHA1 | 410592579ebc959e5a501e33703a7b60151f2013 |
| SHA256 | d00408a6cebc940106c3ecf8c3b72b2556de37dfa3e93e877438adf78e577c82 |
| SHA512 | 26dee384227d279cda66ab650973bfd6f3f51cd2fbec5385b73e461f01f1292465fb7e7fac6e069864f1177c754cbecf9ac267502eefba1cb91b2c5de623f1fb |
\??\c:\program files (x86)\bwxy\gwxyabcde.gif
| MD5 | a9cd68cd2e53d1c7357d38ec78ce8e1d |
| SHA1 | bebf68f9d326f40e197201a528b8453620dd97f6 |
| SHA256 | f333439a3795f6d55ea1a56644baedcee870b756567b407f0f17c0b40ad84fa2 |
| SHA512 | 49dabc2484845a039ac812f62479a2cd8df2d2b5b367d7ff02725c1fad3f4bb08b0cc101c182b8370f4bab7740f46c07219eb04d165bb1870d760e09cb657572 |
memory/3288-15-0x0000000000400000-0x0000000000756000-memory.dmp