Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-g7pvkasepf
Target 055f83ec11264f2712afd95099d379e9_JaffaCakes118
SHA256 1ed0ef620ee4be8ec1e3b2116eaff5362a60958e1a50e0243e17bacab854b275
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ed0ef620ee4be8ec1e3b2116eaff5362a60958e1a50e0243e17bacab854b275

Threat Level: Known bad

The file 055f83ec11264f2712afd95099d379e9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0st RAT payload

Gh0strat

Executes dropped EXE

Loads dropped DLL

Deletes itself

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 06:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 06:26

Reported

2024-06-23 06:29

Platform

win7-20240611-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\scjotdcqah C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fbmbmtofor N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\fbmbmtofor

"C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\055f83ec11264f2712afd95099d379e9_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
IT 93.46.8.90:889 bibo9.8800.org tcp
US 8.8.8.8:53 bibo9.8800.org udp
DE 46.82.174.69:889 bibo9.8800.org tcp

Files

memory/2024-0-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/2024-2-0x0000000000230000-0x000000000027F000-memory.dmp

memory/2024-3-0x0000000000230000-0x000000000027F000-memory.dmp

\Users\Admin\AppData\Local\fbmbmtofor

MD5 6a74321db18d1458a81abf4742393e1d
SHA1 17a2c49adadd7301abb251d59799bf72e59dcf17
SHA256 523e7ef7c6ecc907babfbaf28d12354be03456ddd40509dc95d126d81ce8b0ab
SHA512 6c31dcd357e5a4acd3319d385bf7785ab2fc3894e7fcc9e65fc1a3b80b4b5b391b9b751843aa83af06d1b5eed1e9f342afa382d6be6163ece1e0aa4c4b68e360

memory/2024-7-0x00000000002D0000-0x000000000031F000-memory.dmp

memory/2900-14-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/2024-12-0x0000000000400000-0x000000000044E31C-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\ipkwe.cc3

MD5 cd0b3dd162af1d6e0cacf34212fb0e38
SHA1 01dcba19a1da21d1cac59ebced6252f0c1f62e70
SHA256 6af195103b48bc7a864eacd7b8c95b24740b2d45ddb94c4fcf93abd413c339f2
SHA512 f98aeb3df13942aae12df55acdccf8cdf2fc30d3913912c03b9c935791a9a5d19f710566c6ac929d2d61a07fb6d1e187b7b8e042c19a9fc2c4338487629eb68b

memory/2900-21-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/2412-22-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2412-23-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2412-25-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 06:26

Reported

2024-06-23 06:29

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sbytrmjkns C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\sbytrmjkns C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\sknnapmhbo C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A
N/A N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fohnepjmxs N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\fohnepjmxs

"C:\Users\Admin\AppData\Local\Temp\055f83ec11264f2712afd95099d379e9_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\055f83ec11264f2712afd95099d379e9_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 824

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 888

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3876 -ip 3876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 936

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.f.360.cn udp

Files

memory/4468-1-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/4468-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\fohnepjmxs

MD5 af91fa45fdec58c857bf2da04ef783f7
SHA1 768c707acee95c9b612d4b91138d264c8c717593
SHA256 c5a58123aca16d2cfa0aeacd3ca3375e643982d60e94122f40b5d2bde9266ac2
SHA512 10c84697f70047e3ab9861ff957b7fdfb0dfc20741fdc1030a821bbad2628e6caf254f8e9bcc27bb411980dcb65a389ccb03aca648e3194349cf2d0ef35b6c6a

memory/4468-9-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/5084-10-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/5084-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\jwbcw.cc3

MD5 ec597a68efc1fbd486261caf065e08d6
SHA1 2501eb3debb8db74587fd3df682894ed214873dc
SHA256 614da54d8f01fb8ae2eb0d2a5eaf76dd997952252477d9c57e414f7ecdc13091
SHA512 9034b8914862705bf53f2ac15d772dd69f44bbad393194fbdd8f5ec5d0fd0ce080e2141070b2819189cb2d4576f28f8d586e64455cccb3289959b4233250b875

memory/5084-17-0x0000000000400000-0x000000000044E31C-memory.dmp

memory/1228-18-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/1228-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/3116-22-0x00000000019E0000-0x00000000019E1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 29f3f2375ef77143c7949c00b97b79cf
SHA1 16b3f9149d8b11fea76ff44c31f9fa6877ff915f
SHA256 9e9179a5cb0f3d78f567167f7b3d12bd07a536bc08ffaf2b9a0f51092773b4d3
SHA512 f184885517e2c09b85a0b651fe48815559d23622a610397096599ca9526d49f4d6f6a62a5f34a0c4a0acd68701b303f977a450a9789141de20209f65b23f541d

memory/3116-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/3876-27-0x00000000011D0000-0x00000000011D1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 64b2b1f3d37991f054d7cdafce74c039
SHA1 c5d6e9a85138fa9069be4b4de763372562b0dd02
SHA256 edddb2cb6adcb907da8e308701618b09701e23257b353e3dca2b3984fd927aea
SHA512 a1aaf19e1f60488b1c78aedd2e0280090a3f29a6b73d0ae29ad602bdfe5b2ab344e116e2c89439e205ac1b420de862bc06f2bf8dd2e85de4bf3af25d20df0719

memory/3876-30-0x0000000020000000-0x0000000020027000-memory.dmp