Analysis Overview
SHA256
453ae4cb09cb460cd4f78c607cae9cfc1cd4ca85ef307fa51bde98a7b164c3e7
Threat Level: Known bad
The file 05caa58dbb6fa331b64a8a3479bbc574_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
Gh0strat
Gh0st RAT payload
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-23 08:57
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 08:57
Reported
2024-06-23 09:00
Platform
win7-20240419-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Fbcd\Kbcdefghi.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Fbcd\Kbcdefghi.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05caa58dbb6fa331b64a8a3479bbc574_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05caa58dbb6fa331b64a8a3479bbc574_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a6422563.vicp.net | udp |
| CN | 113.241.21.168:10258 | a6422563.vicp.net | tcp |
| CN | 113.241.21.168:10258 | a6422563.vicp.net | tcp |
| CN | 113.241.21.168:10258 | a6422563.vicp.net | tcp |
Files
\??\c:\program files (x86)\fbcd\kbcdefghi.gif
| MD5 | ad9f7b137172773629580917c427c567 |
| SHA1 | e91985db6839bd6d4cf26693108c2ac33310b2b8 |
| SHA256 | 4b6b76a99c0b737f600840ef776d3aa0c0d60b0b6922ca4a69899a48e75d4587 |
| SHA512 | 8185d38ce5d18f0a20f5f6703228aa589dbb2a068d776eb31313b385b9e3e34c59c83ea6e8472d11db7e1de47b4569a0badb005f1cfea49d2ffd9427e9ee6144 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 08:57
Reported
2024-06-23 09:00
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
116s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Fbcd\Kbcdefghi.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Fbcd\Kbcdefghi.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05caa58dbb6fa331b64a8a3479bbc574_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05caa58dbb6fa331b64a8a3479bbc574_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a6422563.vicp.net | udp |
| US | 8.8.8.8:53 | a6422563.vicp.net | udp |
| US | 8.8.8.8:53 | a6422563.vicp.net | udp |
Files
\??\c:\program files (x86)\fbcd\kbcdefghi.gif
| MD5 | cd1ab7e2c16d3166bfb29b28de0bde1c |
| SHA1 | 60c19fc31083cdd556862428e44daeb87058a9d9 |
| SHA256 | 269e7f60d5092325ffd8820e43dc908189cf3c4bacbfe67031393da4fd5154f5 |
| SHA512 | af3c29f69f0f82af707f532fcd9ecf4835bababdea668d225fafeffc9984b6cb65dbfc10504d317f9e202a0a0524699ce16e895d11574c56c1a866e8295bfce1 |