Malware Analysis Report

2025-03-15 06:32

Sample ID 240624-ttkpxavcmk
Target 098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118
SHA256 204004daa0a87485d00cbb49f98829ce0faed3476969a11712e0954676109c2a
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

204004daa0a87485d00cbb49f98829ce0faed3476969a11712e0954676109c2a

Threat Level: Known bad

The file 098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Server Software Component: Terminal Services DLL

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 16:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 16:20

Reported

2024-06-24 16:23

Platform

win7-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mKF3Y2bn\Parameters\ServiceDll = "C:\\Windows\\system32\\lA02TF.pic" C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lA02TF.pic C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 2284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k mKF3Y2bn

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe c:\windows\system32\la02tf.pic,main mKF3Y2bn

Network

Country Destination Domain Proto
US 8.8.8.8:53 a616713144.3322.org udp

Files

\??\c:\windows\SysWOW64\la02tf.pic

MD5 eb0282b182797da26ca1a56dcedcf411
SHA1 672c3095cd7541ce05893f2b16476912a6b9c64a
SHA256 773968bfd1fb4ae0aea27f03bb5fc53e69ac595938f7c9dea05d0c56d8ef4a37
SHA512 9dd0213e39ddc75b0e53dec66d77e0a606c427618ef94ec80b8b200f6351563448406a441d268e2f47d97b16d7e9bc56b64462d5ad436da20cad45cb1cd09259

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 16:20

Reported

2024-06-24 16:23

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dlM4IC6i\Parameters\ServiceDll = "C:\\Windows\\system32\\lA02TF.pic" C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lA02TF.pic C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 4540 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3976 wrote to memory of 4540 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe
PID 3976 wrote to memory of 4540 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\098e32b85ff13e6d297d4c0a53f2a1c8_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k dlM4IC6i

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe c:\windows\system32\la02tf.pic,main dlM4IC6i

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3976 -ip 3976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 436

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a616713144.3322.org udp
US 8.8.8.8:53 a616713144.3322.org udp

Files

C:\Windows\SysWOW64\lA02TF.pic

MD5 54daf2bd595ff53ae543ae9b648b26ea
SHA1 278c92cfd333d5ec8f0765e931ee17f8a2fede38
SHA256 7796fcc228e573d1b3fb0f6b9517eca189cb2f6874ad60464ff368dec3fc6d67
SHA512 2ea68766c34e4493ee2b7f9f5c213f460dfbecb714de4ebc88ebaea08ab5c061bf81ec433c7a43a7a09f4aacefab9c0b2712a2ad5885d807fcc0c644344740dd