Malware Analysis Report

2025-03-15 06:33

Sample ID 240624-xkf7xaxfpb
Target 0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118
SHA256 2deeab84f5004177c12c6421486b934b6edf2bdad3c0eeef8856ad3a812f8f01
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2deeab84f5004177c12c6421486b934b6edf2bdad3c0eeef8856ad3a812f8f01

Threat Level: Known bad

The file 0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0st RAT payload

Gh0strat

Deletes itself

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 18:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 18:54

Reported

2024-06-24 18:57

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ukgmjwfhcw C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\iejtbckovo N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\iejtbckovo

"C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a4144a6b518bc67f1c9c8511a9a46a4_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 qup.f.360.cn udp
US 8.8.8.8:53 www.163.com udp
US 8.8.8.8:53 u.qurl.f.360.cn udp
US 8.8.8.8:53 qurl.f.360.cn udp
US 8.8.8.8:53 qurl.qh-lb.com udp
US 8.8.8.8:53 qup.qh-lb.com udp
US 8.8.8.8:53 sdup.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 sdupm.360.cn udp
US 8.8.8.8:53 sdup.qh-lb.com udp
US 8.8.8.8:53 udp

Files

memory/2956-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2956-1-0x0000000000400000-0x000000000044E308-memory.dmp

\Users\Admin\AppData\Local\iejtbckovo

MD5 ea5071586893266b9cb5275a2a705273
SHA1 b213abbb7e7ec58878fd465fe987b8ff5a999912
SHA256 bad554ed27f199eb821468cb2b498eee7fc2b8de2a617539377b05a7524adc06
SHA512 1f051ef1fd864e1f4d2b792e447dab37f9594009c5a420e3caae2465f1ac1dd51fcd0a97a15b7f787d3cacb187820f6c705d3a4b2ac1c1aa4da227411ac16e40

memory/2956-6-0x0000000001B70000-0x0000000001BBF000-memory.dmp

memory/2196-17-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2196-16-0x0000000000400000-0x000000000044E308-memory.dmp

memory/2956-13-0x0000000000400000-0x000000000044E308-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\oiycm.cc3

MD5 460982d6cdb8a3522213d50b8d3986ac
SHA1 280680d20ff4d3c1638790bf00dd85decd1ff3b4
SHA256 891833c9928b5077599bd79c10ae152ee29d2bc00abca86324c2898a49e92860
SHA512 ab0356494e5f476278b44e1e25d2a7daa4ace7ace0fe93e1c1bf69973da9fd15455a90dca9405a658a6b8b929bae9cdb4911b8c6284e216bd0256ae5f178c83e

memory/2196-23-0x0000000000400000-0x000000000044E308-memory.dmp

memory/2352-24-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2352-26-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2352-30-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 18:54

Reported

2024-06-24 18:57

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\uslkpjoycd C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\ubyexmqvpx C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\ujnwgpttdt C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A
N/A N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\eojnyxhfrs N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\eojnyxhfrs

"C:\Users\Admin\AppData\Local\Temp\0a4144a6b518bc67f1c9c8511a9a46a4_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a4144a6b518bc67f1c9c8511a9a46a4_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2280 -ip 2280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1040

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 920

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 948

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1664-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1664-1-0x0000000000400000-0x000000000044E308-memory.dmp

C:\Users\Admin\AppData\Local\eojnyxhfrs

MD5 7e96ab80e2417dd9f4b8e1e9c5d76175
SHA1 83d08ea47444c22effe98d51dd251124e2444822
SHA256 c22bfc9baa1603f97c690139d013f911aab31764791010bde7a393dce6341b30
SHA512 6562c91395635f21b5355a2d78a627fe457eb8965fe0179bf9fa6e4614a9997a637425b1c265b22bf8e56a3d221fa6be9229d00d30074dfe6cfc98461cb8efa6

memory/2856-12-0x0000000000400000-0x000000000044E308-memory.dmp

memory/2856-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1664-8-0x0000000000400000-0x000000000044E308-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\tubxg.cc3

MD5 c09f5566c0a3e2cd9007610cf136e921
SHA1 f62a7ccd263a04359cb9d74441bd1487e1d201d5
SHA256 8c98f90204c61faac55fb20f44bbcc2857c0cb2f39cf99edbb4fed75ffc2bee1
SHA512 752f4648e14955ebf6edcee2838809c444522837b65b55c9af8468db3a293dc97d66b175a310aa046833d33b57067702f8540a46c28c56d05a5f46f15f022b7a

memory/2856-17-0x0000000000400000-0x000000000044E308-memory.dmp

memory/2280-18-0x0000000001640000-0x0000000001641000-memory.dmp

memory/2280-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/544-22-0x0000000001680000-0x0000000001681000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 0ff26672e468416aac156a45f1b44fd9
SHA1 34494c56e5540a514eaad613b8202b149f2dc894
SHA256 9ecbb6a0a86822eebddd8937ad07136d537dcf1fb32e4cf4eff8cff4937dd91e
SHA512 50fe705b07583ce460d8736d343d680c62f22ab1181923fd7873bc49f18190d087de41154acf0013c8db07231aa7afd50d5b5203f9dedc2d054af432dbd187e7

memory/544-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4244-27-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 42fe21ae2201d550cdcf169fc42392b8
SHA1 3024bc8ea535c0e2b1cb91272a65ce7a84e7333b
SHA256 d3873c045026a7ab2b7e8deec27b61dbb0a07afd30ebcc13adfa05545b57c2c3
SHA512 589f532efe54a9aaa2ec153103e7498749ffc301b3ecaa084a1a4787281099abac7628af856f5551d9e11ae48c8a55d30fd94002f1b3df233639d30725461150

memory/4244-30-0x0000000020000000-0x0000000020027000-memory.dmp