Analysis Overview
SHA256
502f8b1645f6b7bda56b198c216685faaad3ff65a0adf995b55e223112643433
Threat Level: Known bad
The file 09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Server Software Component: Terminal Services DLL
Deletes itself
Loads dropped DLL
Drops file in System32 directory
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-24 17:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 17:30
Reported
2024-06-24 17:33
Platform
win7-20240611-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\589609\Parameters\ServiceDll = "C:\\Windows\\system32\\589609.dll" | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\589609.dll | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2916 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2916 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2916 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 589609
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\09DC3A~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cool2319.gicp.net | udp |
Files
memory/2916-0-0x0000000000400000-0x000000000042D000-memory.dmp
\??\c:\windows\SysWOW64\589609.dll
| MD5 | 5f6869549a2fbee443bf6476426d23f7 |
| SHA1 | 5df22fe768c2e8bde6682e9a5d5c9ec89b050a8b |
| SHA256 | d5b9a92ffb068efbfdfcdccfab285812aea8bee6242c43c4113a7fd8b5867125 |
| SHA512 | 01db951c7fdd2d22a2fb860d1683eb99c91b2357821ce40ce2acdf056a6c7cc60b699699507aa5fd4e027e17146029e8869693fe362d4b7a7f6aa3bdd6c43248 |
memory/2916-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1632-7-0x0000000010000000-0x000000001002A000-memory.dmp
memory/1632-9-0x0000000000020000-0x0000000000023000-memory.dmp
memory/1632-10-0x0000000010000000-0x000000001002A000-memory.dmp
memory/1632-13-0x0000000010000000-0x000000001002A000-memory.dmp
memory/1632-12-0x0000000010017000-0x0000000010027000-memory.dmp
memory/1632-14-0x0000000010000000-0x000000001002A000-memory.dmp
memory/1632-16-0x0000000000020000-0x0000000000023000-memory.dmp
memory/1632-17-0x0000000010017000-0x0000000010027000-memory.dmp
memory/1632-18-0x0000000010000000-0x000000001002A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 17:30
Reported
2024-06-24 17:33
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\589609\Parameters\ServiceDll = "C:\\Windows\\system32\\589609.dll" | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\589609.dll | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5112 wrote to memory of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5112 wrote to memory of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09dc3ad60f0b1c8b573b5b748297e414_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 589609
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\09DC3A~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cool2319.gicp.net | udp |
| US | 8.8.8.8:53 | cool2319.gicp.net | udp |
Files
memory/5112-0-0x0000000000400000-0x000000000042D000-memory.dmp
\??\c:\windows\SysWOW64\589609.dll
| MD5 | 5f6869549a2fbee443bf6476426d23f7 |
| SHA1 | 5df22fe768c2e8bde6682e9a5d5c9ec89b050a8b |
| SHA256 | d5b9a92ffb068efbfdfcdccfab285812aea8bee6242c43c4113a7fd8b5867125 |
| SHA512 | 01db951c7fdd2d22a2fb860d1683eb99c91b2357821ce40ce2acdf056a6c7cc60b699699507aa5fd4e027e17146029e8869693fe362d4b7a7f6aa3bdd6c43248 |
memory/5112-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4424-8-0x0000000010000000-0x000000001002A000-memory.dmp
memory/4424-9-0x0000000000B50000-0x0000000000B53000-memory.dmp
memory/4424-10-0x0000000010000000-0x000000001002A000-memory.dmp
memory/4424-13-0x0000000010000000-0x000000001002A000-memory.dmp
memory/4424-12-0x0000000010017000-0x0000000010027000-memory.dmp
memory/4424-14-0x0000000010000000-0x000000001002A000-memory.dmp
memory/4424-16-0x0000000000B50000-0x0000000000B53000-memory.dmp
memory/4424-17-0x0000000010017000-0x0000000010027000-memory.dmp
memory/4424-18-0x0000000010000000-0x000000001002A000-memory.dmp