Analysis Overview
SHA256
13abc52d4dab9dbb8c59576905aace2b270559e4b59a535745cc42763c18b805
Threat Level: Known bad
The file 06544a3435938b21f284f8ab7f187efd_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0strat family
Gh0st RAT payload
Server Software Component: Terminal Services DLL
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 13:44
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 13:44
Reported
2024-06-23 13:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Network Connections (0) Manager\Parameters\ServiceDll = "C:\\WINDOWS\\system\\temp\\Service.ini" | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\system\temp | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\system\..txt | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\system\temp\Service.ini | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
| File opened for modification | C:\WINDOWS\system\temp\Service.ini | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\WINDOWS\system\temp\Service.ini | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1444 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1444 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1444 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c copy /b C:\\WINDOWS\system\..txt+C:\\WINDOWS\system\....txt C:\WINDOWS\system\temp\Service.ini
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
Files
C:\WINDOWS\system\..txt
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\WINDOWS\system\....txt
| MD5 | e8b990bb3bd2cfa1b04058b568a55747 |
| SHA1 | 0cbd7fe2960a15f3aabaad6b214bc94e27aea7a7 |
| SHA256 | 99307ab889ef750abb63a80ff073acffa04c8bc59ce53ce4e36abf89829a54ca |
| SHA512 | 85fc4b66a04549f3ecc62d73dec86dcd73545dbb5c049d5d9b6c0496fb4f0a0deb1140f18baaa92f7fb2d40ee2a53eda25e3736b835065e5fc528d6710100477 |
\??\c:\windows\system\temp\service.ini
| MD5 | e47fd37e79f50febfc0221743724c66a |
| SHA1 | 056a2eb81fa6d018df70b7e7feb0494e03511741 |
| SHA256 | 241e6ae9aa91717ec56a440e9ab29619f77c18dba521525213c1fbbdd31c05be |
| SHA512 | 03f426e2a8cf3e41b210ce495cd135623e9c76175f9f36e25dbecc2c760a686a7c293cbb3998ae668f2998e3969eb326e986fc0544b33ed8ffdcdae2fc648aab |
memory/2116-8-0x0000000010000000-0x0000000010020000-memory.dmp
memory/2116-10-0x0000000010000000-0x0000000010020000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 13:44
Reported
2024-06-23 13:46
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Network Connections (0) Manager\Parameters\ServiceDll = "C:\\WINDOWS\\system\\temp\\Service.ini" | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\system\temp\Service.ini | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\WINDOWS\system\temp\Service.ini | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\WINDOWS\system\temp | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\system\..txt | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\system\temp\Service.ini | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1496 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1496 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c copy /b C:\\WINDOWS\system\..txt+C:\\WINDOWS\system\....txt C:\WINDOWS\system\temp\Service.ini
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 444
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\WINDOWS\system\....txt
| MD5 | 3bf2108f9472a7bcda82fda411c3d0bb |
| SHA1 | 5b1682df6f544acd1ff62ed86e0fab9eb8b3255e |
| SHA256 | 692bf121e3f8a09b052f87c866b638ca70aa5ea34fd31d7a90d167c4ccdcf93a |
| SHA512 | 142fa826680181352a61f372e7d62c9c81436b416fc7e20845cc5defeb172141a4d7759b6fb140bacbc7214be66b02648588ef2a1f939185ff45330d91d444af |
C:\WINDOWS\system\..txt
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
\??\c:\windows\system\temp\service.ini
| MD5 | f26c2df1e21d780bc47b4535c00c5e28 |
| SHA1 | 061c8e1fd9bd9edfdd4bbb315b4e00ea60a721a4 |
| SHA256 | 3c0a820667cc39635889c96f2499394f5b3fa31db35f50127ad78070fd009ac6 |
| SHA512 | 37d7ecd37758cde4cd8379632ada46039bb03b4723209a64af03e1b1a82895ad04c130d617ef45965228ee36ffc545a22b6bcbd622df179f3314979e222c0e04 |
memory/2008-8-0x0000000010000000-0x0000000010020000-memory.dmp