Malware Analysis Report

2025-03-15 06:32

Sample ID 240624-v3j1eaxcql
Target 09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118
SHA256 502f8b1645f6b7bda56b198c216685faaad3ff65a0adf995b55e223112643433
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

502f8b1645f6b7bda56b198c216685faaad3ff65a0adf995b55e223112643433

Threat Level: Known bad

The file 09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Server Software Component: Terminal Services DLL

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 17:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 17:30

Reported

2024-06-24 17:33

Platform

win7-20240611-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\589609\Parameters\ServiceDll = "C:\\Windows\\system32\\589609.dll" C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\589609.dll C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k 589609

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\09DC3A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 cool2319.gicp.net udp

Files

memory/2916-0-0x0000000000400000-0x000000000042D000-memory.dmp

\??\c:\windows\SysWOW64\589609.dll

MD5 5f6869549a2fbee443bf6476426d23f7
SHA1 5df22fe768c2e8bde6682e9a5d5c9ec89b050a8b
SHA256 d5b9a92ffb068efbfdfcdccfab285812aea8bee6242c43c4113a7fd8b5867125
SHA512 01db951c7fdd2d22a2fb860d1683eb99c91b2357821ce40ce2acdf056a6c7cc60b699699507aa5fd4e027e17146029e8869693fe362d4b7a7f6aa3bdd6c43248

memory/2916-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1632-7-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1632-9-0x0000000000020000-0x0000000000023000-memory.dmp

memory/1632-10-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1632-13-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1632-12-0x0000000010017000-0x0000000010027000-memory.dmp

memory/1632-14-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1632-16-0x0000000000020000-0x0000000000023000-memory.dmp

memory/1632-17-0x0000000010017000-0x0000000010027000-memory.dmp

memory/1632-18-0x0000000010000000-0x000000001002A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 17:30

Reported

2024-06-24 17:33

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\589609\Parameters\ServiceDll = "C:\\Windows\\system32\\589609.dll" C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\589609.dll C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k 589609

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\09DC3A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 cool2319.gicp.net udp
US 8.8.8.8:53 cool2319.gicp.net udp

Files

memory/5112-0-0x0000000000400000-0x000000000042D000-memory.dmp

\??\c:\windows\SysWOW64\589609.dll

MD5 5f6869549a2fbee443bf6476426d23f7
SHA1 5df22fe768c2e8bde6682e9a5d5c9ec89b050a8b
SHA256 d5b9a92ffb068efbfdfcdccfab285812aea8bee6242c43c4113a7fd8b5867125
SHA512 01db951c7fdd2d22a2fb860d1683eb99c91b2357821ce40ce2acdf056a6c7cc60b699699507aa5fd4e027e17146029e8869693fe362d4b7a7f6aa3bdd6c43248

memory/5112-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4424-8-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4424-9-0x0000000000B50000-0x0000000000B53000-memory.dmp

memory/4424-10-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4424-13-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4424-12-0x0000000010017000-0x0000000010027000-memory.dmp

memory/4424-14-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4424-16-0x0000000000B50000-0x0000000000B53000-memory.dmp

memory/4424-17-0x0000000010017000-0x0000000010027000-memory.dmp

memory/4424-18-0x0000000010000000-0x000000001002A000-memory.dmp