Malware Analysis Report

2025-03-15 06:33

Sample ID 240624-11rv5avaje
Target 0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118
SHA256 8ad98ac46fce6ff5e59cb7a4d3e381c46f3841fe8a88144dccf11521e40aa6c9
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ad98ac46fce6ff5e59cb7a4d3e381c46f3841fe8a88144dccf11521e40aa6c9

Threat Level: Known bad

The file 0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Sets service image path in registry

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 22:07

Reported

2024-06-24 22:09

Platform

win7-20240221-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\PROGRA~2\\nsltx\\nsltx.ref" C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\PROGRA~2\\nsltx\\nsltx.ref" C:\Windows\SysWOW64\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\d2f5ca0e.del C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\nsltx\nsltx.ref C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp

Files

memory/2128-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2128-2-0x0000000000230000-0x0000000000260000-memory.dmp

memory/2128-1-0x0000000000230000-0x0000000000260000-memory.dmp

\??\c:\progra~2\nsltx\nsltx.ref

MD5 aa7db535e5a59197970e622f7dfb5331
SHA1 072495f04679cc8ee07337870365bc2e69d1bf73
SHA256 0668e98fc405742b293e2bc23fbd20173b17383d7fc1a811a5c25347ce122864
SHA512 24f458a4af691e41729ea779e3d406f4d5827d93cbb31cded2d923a4df7554df86e2a83d1d00cd2385711676dba318ef68766df3f0fdcbc40e6bbcb1213c820a

memory/1964-7-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2128-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1964-9-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1964-10-0x0000000010000000-0x0000000010028000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 22:07

Reported

2024-06-24 22:09

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\PROGRA~2\\drtoo\\drtoo.ref" C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\PROGRA~2\\drtoo\\drtoo.ref" C:\Windows\SysWOW64\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\d2f5ca0e.del C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\drtoo\drtoo.ref C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0adee9ee23d78ff4ea559063e4ec5d7e_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.163.com udp
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 zhou-mengfei.3322.org udp
US 8.8.8.8:53 www.baidu.com udp

Files

memory/1472-0-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\progra~2\drtoo\drtoo.ref

MD5 4e7567486ab22f3d2a1270dc3cc6885a
SHA1 ab4121d96d73dbb54c7aceda8379bc53955e4b9f
SHA256 a8f23e3ec7043bebd080656cb426772ae2bb44d84538177052e7d3e5b2eed5d0
SHA512 c564f1442aad9c391e9f5c7675b9a2972236f30fd8a11ab9030bcfcebaa30441b5729b6af850f1b6ca59a6c74fe7cd687c421494b07c563138412c5ba668472e

memory/3788-5-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1472-6-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3788-7-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3788-9-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3788-10-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3788-12-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3788-14-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3788-17-0x0000000010000000-0x0000000010028000-memory.dmp

memory/3788-19-0x0000000010000000-0x0000000010028000-memory.dmp