Analysis Overview
SHA256
55dde27bde29cea402f79e161311a35cf67377af951cc5e472ee2904a477a310
Threat Level: Known bad
The file 05d37d2ecf247111834c058e6674df68_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Adds Run key to start application
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 09:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 09:10
Reported
2024-06-23 09:12
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX579E5A5B VVVVVVrr2unw== = "C:\\Windows\\XXXXXX579E5A5B VVVVVVrr2unw==\\svchsot.exe" | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn * /f
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wk1888.com | udp |
| US | 50.2.120.135:8000 | www.wk1888.com | tcp |
| US | 8.8.8.8:53 | www.af0575.com | udp |
| HK | 38.239.140.49:8000 | www.af0575.com | tcp |
| US | 8.8.8.8:53 | www.fz0575.com | udp |
| US | 50.2.120.135:8000 | www.wk1888.com | tcp |
Files
memory/2512-3-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2512-0-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2512-7-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2512-6-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2512-2-0x0000000010000000-0x0000000010121000-memory.dmp
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT
| MD5 | d8d3a3c95e9e23157286b883310db430 |
| SHA1 | df3540006561b11eba293cb19556cb21a5f1cab7 |
| SHA256 | a6557c4d137e61f94df072ae9f05d890f418388745151263d3278f0020a49ba1 |
| SHA512 | b5065a78947236960e6dc632443443570839c47ba6107e091efd4c84df7f21a93dff07d97fc892d69a58ccecb5c04b019e8adbc718f735b0d9821ee7b82d21bc |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2512-29-0x00000000001F0000-0x00000000001F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 09:10
Reported
2024-06-23 09:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX579E5A5B VVVVVVrr2unw== = "C:\\Windows\\XXXXXX579E5A5B VVVVVVrr2unw==\\svchsot.exe" | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Default | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT | C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05d37d2ecf247111834c058e6674df68_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn * /f
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wk1888.com | udp |
| US | 8.8.8.8:53 | www.af0575.com | udp |
| US | 8.8.8.8:53 | www.fz0575.com | udp |
| US | 8.8.8.8:53 | www.wk1888.com | udp |
Files
memory/2652-8-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2652-9-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/2652-3-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2652-0-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2652-2-0x0000000010000000-0x0000000010121000-memory.dmp
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT
| MD5 | d8d3a3c95e9e23157286b883310db430 |
| SHA1 | df3540006561b11eba293cb19556cb21a5f1cab7 |
| SHA256 | a6557c4d137e61f94df072ae9f05d890f418388745151263d3278f0020a49ba1 |
| SHA512 | b5065a78947236960e6dc632443443570839c47ba6107e091efd4c84df7f21a93dff07d97fc892d69a58ccecb5c04b019e8adbc718f735b0d9821ee7b82d21bc |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2652-21-0x00000000004F0000-0x00000000004F1000-memory.dmp