Analysis Overview
SHA256
85b263f03e965cae1d5660ea8db7808ea8e17bf6c0ab04166c5811a309268943
Threat Level: Known bad
The file 0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
Gh0st RAT payload
Gh0strat
Deletes itself
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-24 18:58
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 18:58
Reported
2024-06-24 19:00
Platform
win7-20240508-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Rnop\Wnopqrstu.gif | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Rnop\Wnopqrstu.gif | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
Files
C:\Program Files (x86)\Rnop\Wnopqrstu.gif
| MD5 | cede178859aeffcb975dfe54bcd7e67b |
| SHA1 | 6af75f12ec108a7a76b4cecdf66227f5d78e8ecd |
| SHA256 | d189ada7513ba7250d449e955af6f5a66ae29bf66653a406d11dac6c21994692 |
| SHA512 | 5658db820db593c60f57d8ca70b10c6eaf5eaa8e73cfbb0bf149a9c2036fad8e3b907fd30ec4c44d8101b4a2ca75ea0404ba7202445f9948aaa55b80ea510da6 |
\??\c:\program files (x86)\rnop\wnopqrstu.gif
| MD5 | 02c812ccacb7e83531a5051ecfbb2a79 |
| SHA1 | e03301f2f1a193e2589e3978d1fdc1f3c576a1f7 |
| SHA256 | 79d0718a91f3a12a0412579dd05dd0393bd716fab91ceb44000da6efdb1a2489 |
| SHA512 | 88adf69736ccb11e2fdfc44b5d2ed78bf8d96c2146dda35b43864352237fb9cb9bc0df4f111de6d6e022b4d35f4de68a9a6440710fc8308985720dead5e44a6e |
memory/1636-9-0x0000000010000000-0x0000000010028000-memory.dmp
C:\WinWall32.gif
| MD5 | f00aa251e80f71bed676fb2ad3e12402 |
| SHA1 | 1fa8944b6ba97be286ba58fbbd9e223ea357ab45 |
| SHA256 | 7738f7e66f0cb0ba56e6874d480a0d74d59526fb56be4bf4e1085de7c6e21c28 |
| SHA512 | 1ab9620e6661dd303caced22909ba09ea9fa7cbca8dd8d2521a3c4b74a69775b5120b9da3551d22d617f73b515610623fc774d2962cfae1b83fb4b2ca1649461 |
C:\1012300.dll
| MD5 | 7fbf87f4662b6841630613923920cb58 |
| SHA1 | 63398a99546b56d53c4db059e0141b71377d998a |
| SHA256 | 37086ee6b810b23b6e7786ea804acbd36604dfde5eaae406c219bffffd1f06d9 |
| SHA512 | aab6055dc1c9380ce63e601dc49f80c0e63179d78a258d6b8e73940459556060755fbfa42f0e11cd498e60fa1bc3d0e44953875ac1f2455fb1339e9fb193fb5f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 18:58
Reported
2024-06-24 19:00
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Rnop\Wnopqrstu.gif | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Rnop\Wnopqrstu.gif | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a46a42dde66b029b74c5524c08a02e2_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
| US | 8.8.8.8:53 | balfhvniu.oicp.net | udp |
Files
C:\2506300.dll
| MD5 | 7fbf87f4662b6841630613923920cb58 |
| SHA1 | 63398a99546b56d53c4db059e0141b71377d998a |
| SHA256 | 37086ee6b810b23b6e7786ea804acbd36604dfde5eaae406c219bffffd1f06d9 |
| SHA512 | aab6055dc1c9380ce63e601dc49f80c0e63179d78a258d6b8e73940459556060755fbfa42f0e11cd498e60fa1bc3d0e44953875ac1f2455fb1339e9fb193fb5f |
\??\c:\program files (x86)\rnop\wnopqrstu.gif
| MD5 | 4d57089e123f50c82d59bc912b6a4942 |
| SHA1 | 3508c51ff832f9749eb505de151c65ff2e4d7d7e |
| SHA256 | 8eff093f8c45a262b5efce509e61f9ded998f512d2976fb6757edd4346873e48 |
| SHA512 | db46a3769e0b549cbf0fac928dfea760dc71df3d628af40a15ca0d1e425aa9f4f6e297135e4f4c9ec2e5b5e94a761882072a48b455a77d03fed944a9558e59ee |
C:\WinWall32.gif
| MD5 | 44302630ae590072e7de499d6c159264 |
| SHA1 | 77cf603f36f2304fa34da203b3f629776c11c845 |
| SHA256 | a43c1bbcd8440d6e17f3c7866ed0ef11402051c61616b7af673641b02c7c1bc3 |
| SHA512 | a9a8085c49f329e57ac0cbafde0f088c3906ffbef1e56cba62fb62adb7b15fbbeeb4675de928ca511e538142ba42c0aa0932288b4ce54395ea5b7940373a8713 |