Malware Analysis Report

2025-03-15 06:33

Sample ID 240624-1ylw4axcrk
Target 0adaee7bab0ba0553a80468cf3995329_JaffaCakes118
SHA256 e439d1f5e8109f21929105830b373230989e5fc1e53d4dc9d8adeec7e1b01660
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e439d1f5e8109f21929105830b373230989e5fc1e53d4dc9d8adeec7e1b01660

Threat Level: Known bad

The file 0adaee7bab0ba0553a80468cf3995329_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0strat family

Gh0st RAT payload

Gh0strat

Server Software Component: Terminal Services DLL

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 22:03

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 22:03

Reported

2024-06-24 22:06

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MDM Serverice\Parameters\ServiceDll = "C:\\Windows\\system32\\hackeyes.dll" C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hackeyes.dll C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp

Files

memory/400-1-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1600-4-0x0000000010000000-0x000000001001F000-memory.dmp

C:\Windows\SysWOW64\hackeyes.dll

MD5 f96de8f4b769da591093ff856f02b9b7
SHA1 0569cdae0c4337ee255089156a275f2cbe717f27
SHA256 513a53877a19627ad2418bad45f1fde2e5e87d5726bc692646a3440cb2b9c25f
SHA512 585bd8565e54a0a342dd1f059a910e76c79f3d0d9b8f8e609120633fcbd232f93f4b6f0f19b9e5f143241dae00b5ead8dd3f1ec96a89e7e1d6e197e644bcaa87

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 22:03

Reported

2024-06-24 22:06

Platform

win7-20240508-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MDM Serverice\Parameters\ServiceDll = "C:\\Windows\\system32\\hackeyes.dll" C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hackeyes.dll C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0adaee7bab0ba0553a80468cf3995329_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp
US 8.8.8.8:53 zhaozhichao0811.3322.org udp

Files

memory/1956-0-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2296-4-0x0000000010000000-0x000000001001F000-memory.dmp

\Windows\SysWOW64\hackeyes.dll

MD5 f96de8f4b769da591093ff856f02b9b7
SHA1 0569cdae0c4337ee255089156a275f2cbe717f27
SHA256 513a53877a19627ad2418bad45f1fde2e5e87d5726bc692646a3440cb2b9c25f
SHA512 585bd8565e54a0a342dd1f059a910e76c79f3d0d9b8f8e609120633fcbd232f93f4b6f0f19b9e5f143241dae00b5ead8dd3f1ec96a89e7e1d6e197e644bcaa87