Analysis Overview
SHA256
7f397dc9f175bc39b5ba89595d07c81f40d113f390be624c2610f9ca8c7606a5
Threat Level: Known bad
The file 095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 15:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 15:39
Reported
2024-06-24 15:41
Platform
win7-20240419-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX579E5A5B VVVVVVrr2unw== = "C:\\Windows\\XXXXXX579E5A5B VVVVVVrr2unw==\\svchsot.exe" | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn * /f
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wk1888.com | udp |
| US | 50.2.120.135:8000 | www.wk1888.com | tcp |
| US | 8.8.8.8:53 | www.af0575.com | udp |
| HK | 38.239.140.49:8000 | www.af0575.com | tcp |
| US | 8.8.8.8:53 | www.fz0575.com | udp |
| US | 50.2.120.135:8000 | www.wk1888.com | tcp |
Files
memory/2656-0-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2656-2-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2656-3-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2656-4-0x0000000010000000-0x0000000010121000-memory.dmp
memory/2656-7-0x0000000010000000-0x0000000010121000-memory.dmp
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT
| MD5 | d8d3a3c95e9e23157286b883310db430 |
| SHA1 | df3540006561b11eba293cb19556cb21a5f1cab7 |
| SHA256 | a6557c4d137e61f94df072ae9f05d890f418388745151263d3278f0020a49ba1 |
| SHA512 | b5065a78947236960e6dc632443443570839c47ba6107e091efd4c84df7f21a93dff07d97fc892d69a58ccecb5c04b019e8adbc718f735b0d9821ee7b82d21bc |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 15:39
Reported
2024-06-24 15:41
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX579E5A5B VVVVVVrr2unw== = "C:\\Windows\\XXXXXX579E5A5B VVVVVVrr2unw==\\svchsot.exe" | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Default | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT | C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\095eec6eb1ef163bf2cff52752c8ee6a_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn * /f
C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
C:\Windows\SysWOW64\at.exe
At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
C:\Windows\SysWOW64\at.exe
At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wk1888.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 50.2.120.135:8000 | www.wk1888.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.af0575.com | udp |
| HK | 38.239.140.49:8000 | www.af0575.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fz0575.com | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 50.2.120.135:8000 | www.wk1888.com | tcp |
Files
memory/3108-1-0x0000000010000000-0x0000000010121000-memory.dmp
memory/3108-9-0x00000000005C0000-0x0000000000600000-memory.dmp
memory/3108-8-0x0000000010000000-0x0000000010121000-memory.dmp
memory/3108-3-0x0000000010000000-0x0000000010121000-memory.dmp
memory/3108-2-0x0000000010000000-0x0000000010121000-memory.dmp
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT
| MD5 | d8d3a3c95e9e23157286b883310db430 |
| SHA1 | df3540006561b11eba293cb19556cb21a5f1cab7 |
| SHA256 | a6557c4d137e61f94df072ae9f05d890f418388745151263d3278f0020a49ba1 |
| SHA512 | b5065a78947236960e6dc632443443570839c47ba6107e091efd4c84df7f21a93dff07d97fc892d69a58ccecb5c04b019e8adbc718f735b0d9821ee7b82d21bc |
\??\PIPE\atsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |