Malware Analysis Report

2025-01-22 14:30

Sample ID 240623-smw9pawale
Target 06bb1022bcf68a4375b33341307f3844_JaffaCakes118
SHA256 4426e570612fb0e065551c684ade75522ad0b9fb4c32429335d00c71d649afcd
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4426e570612fb0e065551c684ade75522ad0b9fb4c32429335d00c71d649afcd

Threat Level: Known bad

The file 06bb1022bcf68a4375b33341307f3844_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 15:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 15:15

Reported

2024-06-23 15:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Windows\svchest000.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\BJ.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A
File created \??\c:\Windows\svchest000.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\svchest000.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\BJ.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe"

\??\c:\Windows\svchest000.exe

c:\Windows\svchest000.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 aa0533.3322.org udp

Files

memory/2528-0-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-5-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-11-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-10-0x0000000000401000-0x0000000000468000-memory.dmp

memory/2528-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2528-8-0x0000000000290000-0x0000000000292000-memory.dmp

memory/2528-7-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2528-6-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2528-4-0x0000000000400000-0x000000000054B000-memory.dmp

C:\Windows\svchest000.exe

MD5 06bb1022bcf68a4375b33341307f3844
SHA1 b0deaa6b1d2856ee5f9a5e8409e2e2629ea4d59b
SHA256 4426e570612fb0e065551c684ade75522ad0b9fb4c32429335d00c71d649afcd
SHA512 f99852c4eba0c63461f2de2ed734ffdd35bafb67c16f36760f84b6453cc5b16ef50f2cd4e744f0a7890003eecd0d67dfb7ed1ecdd15cc38043872ce157a89554

memory/2576-26-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2576-25-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2576-24-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2576-23-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2576-22-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2576-21-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2576-20-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-19-0x0000000002B70000-0x0000000002CBB000-memory.dmp

memory/2576-18-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2528-3-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-2-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-1-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2576-27-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2576-29-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-31-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2528-33-0x0000000002B70000-0x0000000002CBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 15:15

Reported

2024-06-23 15:17

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Windows\svchest425075242507520.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\svchest425075242507520.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A
File created \??\c:\Windows\BJ.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\BJ.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A
File created \??\c:\Windows\svchest425075242507520.exe C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06bb1022bcf68a4375b33341307f3844_JaffaCakes118.exe"

\??\c:\Windows\svchest425075242507520.exe

c:\Windows\svchest425075242507520.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 aa0533.3322.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2992-0-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-1-0x0000000000730000-0x000000000076E000-memory.dmp

memory/2992-4-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2992-6-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2992-5-0x00000000006D0000-0x00000000006D2000-memory.dmp

memory/2992-8-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-7-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-3-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-9-0x0000000000400000-0x000000000054B000-memory.dmp

\??\c:\Windows\svchest425075242507520.exe

MD5 06bb1022bcf68a4375b33341307f3844
SHA1 b0deaa6b1d2856ee5f9a5e8409e2e2629ea4d59b
SHA256 4426e570612fb0e065551c684ade75522ad0b9fb4c32429335d00c71d649afcd
SHA512 f99852c4eba0c63461f2de2ed734ffdd35bafb67c16f36760f84b6453cc5b16ef50f2cd4e744f0a7890003eecd0d67dfb7ed1ecdd15cc38043872ce157a89554

memory/2992-17-0x0000000000401000-0x0000000000468000-memory.dmp

memory/3084-19-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-18-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-2-0x0000000000730000-0x000000000076E000-memory.dmp

memory/3084-20-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3084-22-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3084-21-0x0000000002020000-0x000000000205E000-memory.dmp

memory/3084-24-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3084-27-0x0000000002020000-0x000000000205E000-memory.dmp

memory/3084-26-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3084-25-0x0000000000400000-0x000000000054B000-memory.dmp

memory/3084-23-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-29-0x0000000000400000-0x000000000054B000-memory.dmp

memory/2992-30-0x0000000000730000-0x000000000076E000-memory.dmp