Malware Analysis Report

2025-01-22 14:27

Sample ID 240623-jhttbsvaph
Target 0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118
SHA256 26f5aaff00edcb6eb48cf5d8b0a559859ff18eb2da69524b291a428be3b3b0db
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26f5aaff00edcb6eb48cf5d8b0a559859ff18eb2da69524b291a428be3b3b0db

Threat Level: Known bad

The file 0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 07:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 07:40

Reported

2024-06-23 07:43

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\epumuioeft C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\gmhnlpcbeq N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\gmhnlpcbeq

"C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0593e00be212420c89a4fdd97e99ccd2_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 qup.f.360.cn udp
US 8.8.8.8:53 www.163.com udp
US 8.8.8.8:53 u.qurl.f.360.cn udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 qurl.qh-lb.com udp
US 8.8.8.8:53 qup.qh-lb.com udp
US 8.8.8.8:53 sdup.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 sdupm.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 qd.code.360.cn udp

Files

memory/1616-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/1616-1-0x0000000000400000-0x000000000044E308-memory.dmp

\Users\Admin\AppData\Local\gmhnlpcbeq

MD5 6cb674e60061ae9d15d0d8a2565b14d0
SHA1 a764e86160952859e637588b45ec66038faa8b71
SHA256 b8f6f25e605c1cafc4224f6948702aaf78e819a802009e4483cf809644b508f3
SHA512 5fc8929598b968305db17b5dd702b7397027a79ac0744673a0686fd5c2aac17e58939b95409966d1869d2228ae22d58a9afc36bd70a2a6141f2730af8ecc1434

memory/1616-7-0x00000000003B0000-0x00000000003FF000-memory.dmp

memory/2972-17-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2972-16-0x0000000000400000-0x000000000044E308-memory.dmp

memory/1616-15-0x0000000000400000-0x000000000044E308-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\wjxiu.cc3

MD5 4deae3811164e9c36ca7a07ac36206ca
SHA1 7d57c355808298982662395858b6744e27585ffd
SHA256 ac3a528be3d59cd1df3bf51023b6ffee944a5b808942d24ea142c91d1d5d8164
SHA512 95d5d7edf156037f91231c76dc2925f6163b9325cf2f4e502fbc11ec7ae76205aee56917628d5a2d819ae8fecbc11255cf2f2dbac0cec14c10ac984aa06775e2

memory/2972-22-0x0000000000400000-0x000000000044E308-memory.dmp

memory/2828-23-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2828-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2828-29-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 07:40

Reported

2024-06-23 07:43

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ewakcuxuga C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\eolrtrvwsf C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\ewakcuxuga C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A
N/A N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\cftclswgiv N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\cftclswgiv

"C:\Users\Admin\AppData\Local\Temp\0593e00be212420c89a4fdd97e99ccd2_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0593e00be212420c89a4fdd97e99ccd2_jaffacakes118.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1000 -ip 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1104

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 896

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 844 -ip 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1100

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4952-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/4952-1-0x0000000000400000-0x000000000044E308-memory.dmp

memory/4952-10-0x0000000000400000-0x000000000044E308-memory.dmp

\??\c:\users\admin\appdata\local\cftclswgiv

MD5 c5fded549e0a8b28a4d3020a5821c115
SHA1 35f0063ea43a4fd46b4d68166fc8e8a81feb7c8c
SHA256 fa6a61fb066497bfc1ec14fcd610f0e1f0e9d4acada45323dfeb487afb89632f
SHA512 54e9eaf3179ac88063598d70601b34848d104ac48854eb7416f0977c0ed514b098405bedc9c995831711aa438ea05e481ad77e16c38fbb344ccf9433bd64a64e

memory/3872-11-0x0000000000400000-0x000000000044E308-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\vfpir.cc3

MD5 7f37dde5d919a35e36ac1af5b1812da3
SHA1 0bba5a09418b451aaee46c493d354b552801fcac
SHA256 f190186ece774d44c58edda1d83e1b2b959906c4ea899c17dbfcb227124fede9
SHA512 70a1b3457d8c96b2586bf2cebb95676e5686b96a8e1219f361090cbdcfb770757b316ea55e291141ba849395a8cac928859f142b2cbacda061e620450c339676

memory/3872-16-0x0000000000400000-0x000000000044E308-memory.dmp

memory/1000-17-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/1000-19-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4852-21-0x00000000019E0000-0x00000000019E1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 c143dbebdffb0de60cb56585b33f8fb6
SHA1 7b5977659c248ab37e8111adcb76095615a058b8
SHA256 7c504909a1fc000723806676b2e004db6de918c9b5d1338b2a8b5418cf2a0917
SHA512 48778a7abb1437870f2a004ecf98174bc7eec064b3fbb3860bbf9b12da58a7f63c9c4815a9ac6e7ce85becbc9225c9c2c7c8ed4e73dedf012cf1a996c34f17cc

memory/4852-24-0x0000000020000000-0x0000000020027000-memory.dmp

memory/844-26-0x00000000017F0000-0x00000000017F1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 8a60389ef097d3b673d5420d5de2fe17
SHA1 17c47b83ebe90c31d96e664ca150976199e5c706
SHA256 fc318d4387f2887f0ca3633e2bd624290d4644305af9ba7d84a8a6cf7e8c87cd
SHA512 9f62523178938a0a56272db0bae694494268906772f4e38419e1c34110b3733e339ba09f98020d54abc6c733f2fdedb47af93661a59434f71b29607e15f374e6

memory/844-29-0x0000000020000000-0x0000000020027000-memory.dmp