Malware Analysis Report

2025-01-22 14:28

Sample ID 240623-kv5l2azgpp
Target 05c977d259a8901ec1dbde6308f949b0_JaffaCakes118
SHA256 3f0de8e53c2e158e96f4debbc757ee0f97efa352917b0b6379656944d75475f3
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f0de8e53c2e158e96f4debbc757ee0f97efa352917b0b6379656944d75475f3

Threat Level: Known bad

The file 05c977d259a8901ec1dbde6308f949b0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Executes dropped EXE

Loads dropped DLL

Deletes itself

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 08:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 08:56

Reported

2024-06-23 08:58

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pcckevegwf C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\eiyunbntvt N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\eiyunbntvt

"C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\05c977d259a8901ec1dbde6308f949b0_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 qup.f.360.cn udp
US 8.8.8.8:53 www.163.com udp
US 8.8.8.8:53 u.qurl.f.360.cn udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 qurl.qh-lb.com udp
US 8.8.8.8:53 qup.qh-lb.com udp
US 8.8.8.8:53 sdup.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 sdupm.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp

Files

memory/2580-1-0x0000000000400000-0x000000000044E330-memory.dmp

memory/2580-2-0x0000000000030000-0x0000000000031000-memory.dmp

\Users\Admin\AppData\Local\eiyunbntvt

MD5 985f23e1f06ec0adc55567473a4cc6e1
SHA1 ab4ea7a1202ee47413b8c5c2e08f91e133726548
SHA256 e2893b35a2994e082f57768722226f40ca6b44d3590bac7967627bb1aa1437c5
SHA512 c9adcdbf01db5c8bbe682c1d7126379c40e210714a939144a45d1dde79de21cec5f2393208ed9f4987678db5f6ae4aa0f61f5cfc138d9852f1e8931204a6067d

memory/2580-6-0x0000000000230000-0x000000000027F000-memory.dmp

memory/2580-12-0x0000000000400000-0x000000000044E330-memory.dmp

memory/2172-14-0x0000000000400000-0x000000000044E330-memory.dmp

memory/2172-16-0x0000000000030000-0x0000000000031000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\kdrju.cc3

MD5 6e944c6fb6afd820a31f0f9128ff860a
SHA1 25a279f535db8e59caed6883e3942accabd86d56
SHA256 90e8573893e61e7e7c92603370824e942d6fc480147953ed36426ca647794a10
SHA512 34b2c4fdddcc6e3310644d60b03666fcebd0b26a5b082886ba045fbd947e9e042f63cca89495f87fbbc08d4c5826a0cd8e08bc18944f172e728ee8cd5c2ae37d

memory/2172-21-0x0000000000400000-0x000000000044E330-memory.dmp

memory/2644-22-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2644-24-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2644-28-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 08:56

Reported

2024-06-23 08:58

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\ptevtcibxu C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\pcspcflykp C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\pkqdmygdka C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A
N/A N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\hfrtocfsdp N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\hfrtocfsdp

"C:\Users\Admin\AppData\Local\Temp\05c977d259a8901ec1dbde6308f949b0_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\05c977d259a8901ec1dbde6308f949b0_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2240 -ip 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1084

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 880

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2488 -ip 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1100

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.f.360.cn udp

Files

memory/4864-1-0x0000000000400000-0x000000000044E330-memory.dmp

memory/4864-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\hfrtocfsdp

MD5 fda9e0862e7860fd571cac5a3d6948e7
SHA1 accaff562f546936fed3f20d877e3ec586e0a767
SHA256 dc2c8a6dddd73c562ad289279ea71932a8ca3f105eea7a94fad97828b8478642
SHA512 0f34ccce64a5e076fba214cd56d89abeb91a39017c14f18a33a4db87870dc3ac84d680a7bcf58fb93f43e14bcb06d781dad1519698220be887db7762fc95770f

memory/4160-12-0x0000000000400000-0x000000000044E330-memory.dmp

memory/4160-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/4864-10-0x0000000000400000-0x000000000044E330-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\jshdm.cc3

MD5 7448bd18d8aa3ba8341da429990ace39
SHA1 9e2ea67d970ba8728659354c7bfa62c8d2379bc5
SHA256 4fdc7485fa4e3a683031f9bf2cdbaccd15ff9be2192b0d76e953c46f1b6f1036
SHA512 c4face05603bd08d331c106c6cca9a7d8226402db9283dd56c41e77a0c4cdf1f57d67e890dcb08f58a6cef63d814e700643f944c30173443edfa9064008db4d5

memory/4160-17-0x0000000000400000-0x000000000044E330-memory.dmp

memory/2240-18-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/2240-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4760-22-0x00000000022A0000-0x00000000022A1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 e9282f297dd484daf4a9374f9e0fbae0
SHA1 7e3edc11de46058cd95b307e8f64471b24e6dd99
SHA256 d839ffc55024b35b16aece6c411658749d5b767685b43624edfa616900c39fb2
SHA512 2fed0c59f7b3ace9503747649a9319cf208d40ecaffcc29b0543ebfc01d50df013f1c4b3a8a03e428e79cefb03dda498c2dbca17e904ea8e53c24e928cc9d2eb

memory/4760-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2488-27-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 aa6fd9838d2930d293de8a3e08075575
SHA1 e19a3b24314318263ee02cee4bfc8770d0c007e9
SHA256 6288a088f03617f883fa2f5cc5ae6a588ac303888a27a35b9e02afd6996c4ea8
SHA512 0bedb1a4e0f644ead673a6a46ba2811b547c0d17ead59c926e43372102bee129d0a8b521a7a116f44c6cfadd189ea8b36c20576260eefb61dd1578e8402ca842

memory/2488-30-0x0000000020000000-0x0000000020027000-memory.dmp