Malware Analysis Report

2025-01-22 14:30

Sample ID 240623-qr5erascjh
Target 06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118
SHA256 6457203c3428fd916416452cd6739141d7d2a739c3b15f61077c07bb63d9c966
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6457203c3428fd916416452cd6739141d7d2a739c3b15f61077c07bb63d9c966

Threat Level: Known bad

The file 06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0st RAT payload

Gh0strat

Loads dropped DLL

Executes dropped EXE

Deletes itself

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 13:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 13:30

Reported

2024-06-23 13:33

Platform

win7-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\gfpvjipuaw C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fuwmdldnfx N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\fuwmdldnfx

"C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\06450cc31f1e54fd264e3316aa4dc481_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
IT 93.46.8.90:889 bibo9.8800.org tcp
US 8.8.8.8:53 bibo9.8800.org udp
KR 59.24.3.174:889 bibo9.8800.org tcp

Files

memory/2236-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2236-1-0x0000000000400000-0x000000000044E300-memory.dmp

\Users\Admin\AppData\Local\fuwmdldnfx

MD5 ad15378e3c35b66be697d4225c048f3a
SHA1 2ea6ef54b6aaec7ad325e2aff5a3cbbedcad90d2
SHA256 ba400016584f5088db4c98ea8876efcd8903d504edfca8b660857a6d6bc5a4e1
SHA512 4845bde7143d0168f1a2722d2af2574c8a5aa04847b903a3c46e8dc39f7e2805c2d658ea818b9aa0f5616d8fc73144e8aae5540e74197ba2b6fe748e0776e4dc

memory/2236-7-0x0000000000350000-0x000000000039F000-memory.dmp

memory/1996-13-0x0000000000400000-0x000000000044E300-memory.dmp

memory/2236-16-0x0000000000400000-0x000000000044E300-memory.dmp

memory/1996-17-0x0000000000030000-0x0000000000031000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\ekxle.cc3

MD5 e1b32c2ecec7f54d78e5f4cd2f8e250f
SHA1 e0ca5de411787456a3e12ada484f2df4e737ee69
SHA256 6d71e5dc472416523921f69ff16856366957085b94c991f3c049986adfb4a7ca
SHA512 18ccc4ea7e99fd6eec93c4187548a9ff6098f72622f8a46a7e51fb79f98af27a1804b63c39282d535c46c42991110ab5eecea882a12c149ac279e21ec09fc22d

memory/1996-23-0x0000000000400000-0x000000000044E300-memory.dmp

memory/1952-24-0x0000000000720000-0x0000000000721000-memory.dmp

memory/1952-26-0x0000000020000000-0x0000000020027000-memory.dmp

memory/1952-28-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 13:30

Reported

2024-06-23 13:33

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\glyuipkdoi C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\gedrdtssbq C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\gmrklwvqol C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\gmipkgdjbw C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A
N/A N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\mwvnvhtkvd N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\mwvnvhtkvd

"C:\Users\Admin\AppData\Local\Temp\06450cc31f1e54fd264e3316aa4dc481_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\06450cc31f1e54fd264e3316aa4dc481_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1892 -ip 1892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1064

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 832

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/5112-0-0x0000000000400000-0x000000000044E300-memory.dmp

memory/5112-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\mwvnvhtkvd

MD5 583b17886a6054b6ffb14b651e9fa6b4
SHA1 72ba1a8a11ad8f72cb05645bc2afad6f6e06aa7c
SHA256 2017dfc9b863b5630ef547346440b4842a6a42b38a8ae4ccee1e0bd87a489f03
SHA512 888313700e7d5d1aa33447667086f12a1204e95d2ab380a18d3ca71c3cf2e3fe12f7f7a21672043dff88b7043ca89a7f6e0acc007f6a571a00c1933fe7d4a516

memory/4132-8-0x0000000000400000-0x000000000044E300-memory.dmp

memory/5112-7-0x0000000000400000-0x000000000044E300-memory.dmp

memory/4132-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/4132-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\nxkqo.cc3

MD5 09a65dca2c07902f69080730ecfc675d
SHA1 2424ef72c1eb20c70f1df68523bfb07d2796992e
SHA256 c27a9805fc26e36e074ec0eacc5366f782c13d7a12b789ee4adfab575beaf3fb
SHA512 4d4cb1506328284885a95e0b60a7052d8265132b354df863118837e624728d7fd2d3f1cbf744dee5e8148cf3cc857097c1c08909420db566164f342e7ffb9822

memory/4132-17-0x0000000000400000-0x000000000044E300-memory.dmp

memory/1892-18-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

memory/1892-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4244-22-0x00000000011E0000-0x00000000011E1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 bc987ab72b9a6e61b69d13d6037b84c3
SHA1 5095693dadd848750ec2d8f90f0f459d4ef09cdf
SHA256 8d9e81bca7c872d5547b5ded135de0568ee9be0580425da84513363650a932d1
SHA512 4f8b4d8cac21fa3f2d394aaa77640efab4d611d6bad797081225542137bef12c0a1de9ffde3a2211d2172e50d398496ada983c2421d3a2854deca41ae676400b

memory/4244-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/3808-27-0x0000000002040000-0x0000000002041000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 8cfe103ad98e6e7f50c53498135827f2
SHA1 e582e4b29e8cf39b7816d9a3e500e066faafd3c7
SHA256 21d410eb8a5d58be551b443b6da5c6294f86a65db85aa1c3cb900592c84a131e
SHA512 bf73c75ecb9366c9c2a901a1d4dc6e25470a1dd31eeb17e6afe7562edca7e4ba0258ab2cf10fb18dc8df85f9dc72760bddf151cf48303e406f786fe45cfc3537

memory/3808-30-0x0000000020000000-0x0000000020027000-memory.dmp