Malware Analysis Report

2025-01-22 14:30

Sample ID 240623-r43x5avcqd
Target 0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118
SHA256 e78b7ca8cdb7a26f156b50211b7b37504fb6c4da606434ac1566006ab07594b0
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e78b7ca8cdb7a26f156b50211b7b37504fb6c4da606434ac1566006ab07594b0

Threat Level: Known bad

The file 0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0strat

Gh0st RAT payload

Gh0strat family

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 14:45

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 14:45

Reported

2024-06-23 14:48

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\M020utiHack\Parameters\ServiceDll = "C:\\Windows\\system32\\mutihack.dll" C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mutihack.dll C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 14:45

Reported

2024-06-23 14:48

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\M020utiHack\Parameters\ServiceDll = "C:\\Windows\\system32\\mutihack.dll" C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mutihack.dll C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp
US 8.8.8.8:53 nw1008.3322.org udp

Files

C:\Windows\SysWOW64\mutihack.dll

MD5 55d2a6c05d38cde2a772412d06bb3791
SHA1 1e17f0b2eddea0a78cac9753c0302615add429a5
SHA256 b17f4d6dd933006cc9b59a445a2d6a92af5854b129f275a0d0976eb54962ac72
SHA512 9625912898ebbe1a25f79c31987afa38cb37a265f012484d89dc4a7b3c32418d99f131b8d22eac566fff7a29b6b9a0d96c038f3f723debeea68cd2c6b0607f69