Analysis Overview
SHA256
e78b7ca8cdb7a26f156b50211b7b37504fb6c4da606434ac1566006ab07594b0
Threat Level: Known bad
The file 0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Gh0strat family
Server Software Component: Terminal Services DLL
Deletes itself
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 14:45
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 14:45
Reported
2024-06-23 14:48
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\M020utiHack\Parameters\ServiceDll = "C:\\Windows\\system32\\mutihack.dll" | C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mutihack.dll | C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 14:45
Reported
2024-06-23 14:48
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\M020utiHack\Parameters\ServiceDll = "C:\\Windows\\system32\\mutihack.dll" | C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mutihack.dll | C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0699f8a0ec784fd5b07a5b2e568898ea_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
| US | 8.8.8.8:53 | nw1008.3322.org | udp |
Files
C:\Windows\SysWOW64\mutihack.dll
| MD5 | 55d2a6c05d38cde2a772412d06bb3791 |
| SHA1 | 1e17f0b2eddea0a78cac9753c0302615add429a5 |
| SHA256 | b17f4d6dd933006cc9b59a445a2d6a92af5854b129f275a0d0976eb54962ac72 |
| SHA512 | 9625912898ebbe1a25f79c31987afa38cb37a265f012484d89dc4a7b3c32418d99f131b8d22eac566fff7a29b6b9a0d96c038f3f723debeea68cd2c6b0607f69 |