Malware Analysis Report

2025-01-22 14:26

Sample ID 240623-k2ygas1apm
Target 05d135e4f012e233a74120f70934ae62_JaffaCakes118
SHA256 cdfcf64bb22833df8973501e342bc82fbf71602cba51ddcda1aba25d07153854
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdfcf64bb22833df8973501e342bc82fbf71602cba51ddcda1aba25d07153854

Threat Level: Known bad

The file 05d135e4f012e233a74120f70934ae62_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 09:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 09:06

Reported

2024-06-23 09:08

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qfadfpuath C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ibikrptrfc N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ibikrptrfc

"C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\05d135e4f012e233a74120f70934ae62_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
DE 46.82.174.69:889 bibo9.8800.org tcp
US 8.8.8.8:53 bibo9.8800.org udp
DE 46.82.174.69:889 bibo9.8800.org tcp

Files

memory/2884-1-0x0000000000400000-0x000000000044E37C-memory.dmp

memory/2884-2-0x0000000000030000-0x0000000000031000-memory.dmp

\Users\Admin\AppData\Local\ibikrptrfc

MD5 c8a3c641642c1a9b43725c05793eaac2
SHA1 8a657ef2bb55f27f78bf609557c8a2a3a7edd313
SHA256 9543c0be2359b5548dc8223f823fbdce3c9b9f11a0a820a201c9e8be3aa5050a
SHA512 30c4531b721a4ee49d9b8a9221f8a112e2ecd78904a6fa2919158487e547aaeb17a3f9865266e2132d29c04633a6c260358b17dfd728d4665cbef55383557754

memory/2884-6-0x00000000005E0000-0x000000000062F000-memory.dmp

memory/2884-13-0x0000000000400000-0x000000000044E37C-memory.dmp

memory/1144-17-0x0000000000030000-0x0000000000031000-memory.dmp

memory/1144-16-0x0000000000400000-0x000000000044E37C-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\dwxne.cc3

MD5 52571b83298266722747ea5586828f97
SHA1 af70aac872801f025c9fb6781bd638e90044e04e
SHA256 08a025a59c1165b5a88f5f08d77e452677eb23dfa90fbffdbb3992f61e6a575c
SHA512 cc2441ec3e5294bacd91c3d9c2827f1ff6d508e212470db9ed2474ca6a787e909c3c21cabe8a90e8de2320ff98d190f26bb23e152c952b007a94c7d3c3e7ec52

memory/1144-22-0x0000000000400000-0x000000000044E37C-memory.dmp

memory/2636-23-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2636-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2636-27-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 09:06

Reported

2024-06-23 09:09

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qeqieycshs C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\qnecmcfqto C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\qnecmcfqto C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\qvsuufhohj C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A
N/A N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\bvbxtibhjl N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\bvbxtibhjl

"C:\Users\Admin\AppData\Local\Temp\05d135e4f012e233a74120f70934ae62_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\05d135e4f012e233a74120f70934ae62_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1076

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 888

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3772 -ip 3772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 888

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.f.360.cn udp

Files

memory/1784-1-0x0000000000400000-0x000000000044E37C-memory.dmp

memory/1784-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\bvbxtibhjl

MD5 1234903aee1a17b0a752669f48d1e445
SHA1 03e383d30958197901c60f2dc3e90ca839e10fc8
SHA256 b5b6c909a77117348e6c0be29515b34611eaafd4fc8810cd894b71e116b02c79
SHA512 c6ee801e6a0edc675af89568c31c3951fd385975a1c416a391d366d5bdf882060f45f046cdb7a31dc56440601b5866547cb43d5d8d07158907214c8d7c36c739

memory/1784-10-0x0000000000400000-0x000000000044E37C-memory.dmp

memory/2816-11-0x0000000000400000-0x000000000044E37C-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\bhvxr.cc3

MD5 ee84b337a346ee7c1293f545f5541a0e
SHA1 0e3121aa429868207d682053b46d53f09a9c8f43
SHA256 aa612bff354d3ea3a0f075779ddd3f4fae8d9cdb19fe3c3b5fb76197ddade651
SHA512 239dd97f5cf6684f3f40d49f62719ca4b085b4707549b669f631667b4a8d16ace07ad0b63c627a9fcc29b71f6df6ebb7ea01b9cba5758a6380069423c0d636c7

memory/2816-16-0x0000000000400000-0x000000000044E37C-memory.dmp

memory/4468-17-0x00000000018E0000-0x00000000018E1000-memory.dmp

memory/4468-19-0x0000000020000000-0x0000000020027000-memory.dmp

memory/116-21-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 ad6660af0cf288bc02aef50ca8d491ac
SHA1 a912f9b8b14f14cb40f3a59f5d3d1ad42afb9921
SHA256 3642d5d4ecc17f0f1c3b73b7f9569d68a67b25a9f2fccfea1b5518c877dddca0
SHA512 a579b52eb1f4e9cc0c63eae80a2f97cdd2780fa8474266665bf353b1d77ee0655c815098748cb2fa41908696f1350e1de4f105e9079adf643dcefb3e0294b01e

memory/116-24-0x0000000020000000-0x0000000020027000-memory.dmp

memory/3772-26-0x00000000019D0000-0x00000000019D1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 85df7cefe5076dff59a9aab22c92d2ee
SHA1 202e936443ddda88d6238b78ed20721dcb4a7e21
SHA256 e812a1ddf9b41d090ff9e47d4e71d5d4a67f64366f5ab92b158c9905ed5745fc
SHA512 5ab85d220dae7ef54fb591c34ebe3df4faf120fd353ef713914f6d2606900b3d6cda6a8a1ba4c89209d226602fd09576ddf2287e7a24ce07e31aa951172f69e2

memory/3772-29-0x0000000020000000-0x0000000020027000-memory.dmp