Malware Analysis Report

2025-01-22 14:27

Sample ID 240623-q1yzbswfnq
Target 06544a3435938b21f284f8ab7f187efd_JaffaCakes118
SHA256 13abc52d4dab9dbb8c59576905aace2b270559e4b59a535745cc42763c18b805
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13abc52d4dab9dbb8c59576905aace2b270559e4b59a535745cc42763c18b805

Threat Level: Known bad

The file 06544a3435938b21f284f8ab7f187efd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0strat

Gh0strat family

Gh0st RAT payload

Server Software Component: Terminal Services DLL

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 13:44

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 13:44

Reported

2024-06-23 13:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Network Connections (0) Manager\Parameters\ServiceDll = "C:\\WINDOWS\\system\\temp\\Service.ini" C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\system\temp C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A
File created C:\WINDOWS\system\..txt C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A
File created C:\WINDOWS\system\temp\Service.ini C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A
File opened for modification C:\WINDOWS\system\temp\Service.ini C:\Windows\SysWOW64\cmd.exe N/A
File created C:\WINDOWS\system\temp\Service.ini C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy /b C:\\WINDOWS\system\..txt+C:\\WINDOWS\system\....txt C:\WINDOWS\system\temp\Service.ini

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

N/A

Files

C:\WINDOWS\system\..txt

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\WINDOWS\system\....txt

MD5 e8b990bb3bd2cfa1b04058b568a55747
SHA1 0cbd7fe2960a15f3aabaad6b214bc94e27aea7a7
SHA256 99307ab889ef750abb63a80ff073acffa04c8bc59ce53ce4e36abf89829a54ca
SHA512 85fc4b66a04549f3ecc62d73dec86dcd73545dbb5c049d5d9b6c0496fb4f0a0deb1140f18baaa92f7fb2d40ee2a53eda25e3736b835065e5fc528d6710100477

\??\c:\windows\system\temp\service.ini

MD5 e47fd37e79f50febfc0221743724c66a
SHA1 056a2eb81fa6d018df70b7e7feb0494e03511741
SHA256 241e6ae9aa91717ec56a440e9ab29619f77c18dba521525213c1fbbdd31c05be
SHA512 03f426e2a8cf3e41b210ce495cd135623e9c76175f9f36e25dbecc2c760a686a7c293cbb3998ae668f2998e3969eb326e986fc0544b33ed8ffdcdae2fc648aab

memory/2116-8-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2116-10-0x0000000010000000-0x0000000010020000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 13:44

Reported

2024-06-23 13:46

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Network Connections (0) Manager\Parameters\ServiceDll = "C:\\WINDOWS\\system\\temp\\Service.ini" C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\system\temp\Service.ini C:\Windows\SysWOW64\cmd.exe N/A
File created C:\WINDOWS\system\temp\Service.ini C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\WINDOWS\system\temp C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A
File created C:\WINDOWS\system\..txt C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A
File created C:\WINDOWS\system\temp\Service.ini C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06544a3435938b21f284f8ab7f187efd_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy /b C:\\WINDOWS\system\..txt+C:\\WINDOWS\system\....txt C:\WINDOWS\system\temp\Service.ini

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 444

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\WINDOWS\system\....txt

MD5 3bf2108f9472a7bcda82fda411c3d0bb
SHA1 5b1682df6f544acd1ff62ed86e0fab9eb8b3255e
SHA256 692bf121e3f8a09b052f87c866b638ca70aa5ea34fd31d7a90d167c4ccdcf93a
SHA512 142fa826680181352a61f372e7d62c9c81436b416fc7e20845cc5defeb172141a4d7759b6fb140bacbc7214be66b02648588ef2a1f939185ff45330d91d444af

C:\WINDOWS\system\..txt

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

\??\c:\windows\system\temp\service.ini

MD5 f26c2df1e21d780bc47b4535c00c5e28
SHA1 061c8e1fd9bd9edfdd4bbb315b4e00ea60a721a4
SHA256 3c0a820667cc39635889c96f2499394f5b3fa31db35f50127ad78070fd009ac6
SHA512 37d7ecd37758cde4cd8379632ada46039bb03b4723209a64af03e1b1a82895ad04c130d617ef45965228ee36ffc545a22b6bcbd622df179f3314979e222c0e04

memory/2008-8-0x0000000010000000-0x0000000010020000-memory.dmp