Malware Analysis Report

2025-03-15 06:33

Sample ID 240624-xvcmga1fkk
Target 0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118
SHA256 55f4bec3680f7d11105834785cbe2638d5114a0ca564e74ab59efbddbb2b2eee
Tags
gh0strat bootkit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55f4bec3680f7d11105834785cbe2638d5114a0ca564e74ab59efbddbb2b2eee

Threat Level: Known bad

The file 0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit persistence rat

Gh0strat

Gh0st RAT payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 19:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 19:10

Reported

2024-06-24 19:12

Platform

win7-20240611-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fijyfherix N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fijyfherix N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wbwsmavytt C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\fijyfherix N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fijyfherix N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fijyfherix N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\fijyfherix N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\fijyfherix N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\fijyfherix

"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a54aa06961b372d7b08ea3d441e0d64_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.7.198.46:889 bibo9.8800.org tcp

Files

memory/1704-1-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/1704-2-0x0000000000030000-0x0000000000031000-memory.dmp

\Users\Admin\AppData\Local\fijyfherix

MD5 0ff125bcb20a2fce7fdc3ec6497f6570
SHA1 e43820f9619d6b3d77ead07f451c4edb3fe740e0
SHA256 af84e5a1ec8c66a3165dbc4cfafdab995c90132c6bbf0446036827e9d83f4e29
SHA512 446e329f8f3fe5678b78337688b598c15fb2668f9ed1e58174c7132f1acb6060164033ba3bf4d1ff95818494b6e7a7c15128781f97ad64c9bb5ef091bfc83c46

memory/1704-11-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/1852-13-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/1852-15-0x0000000000030000-0x0000000000031000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\uruuv.cc3

MD5 14862753cdd1e28b1238e8ae68a07f2e
SHA1 339359f4b7cc168195ad942b832d90846a24d720
SHA256 4116c2ac2e459c8adc5111c973314ede172c17dd3c6e86e41ae1766b625a97d0
SHA512 e5a7310a59ddc343910314139aa45419d5bcaf13477c14337f1719bf9f9db340bed9f8aa2fe0abc657aa5bcda12a2247b273644c2fbc7660ecdcba552e9a9b3a

memory/1852-20-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/2652-22-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1704-24-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/2652-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/2652-27-0x0000000020000000-0x0000000020027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 19:10

Reported

2024-06-24 19:12

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\wqwuyiwahr C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\wycsfuhqiy C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\wysxeeojvk C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A
N/A N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ncodkxuigu N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ncodkxuigu

"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a54aa06961b372d7b08ea3d441e0d64_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5068 -ip 5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1084

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 908 -ip 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1064

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

memory/3620-0-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/3620-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\ncodkxuigu

MD5 5a574d246c585e48f4689c513d8fee56
SHA1 ce380ea5a0e2d91a01241c6ffa0c51db8691e6f1
SHA256 90785eb4dbfa2868aa3eaa96bedc0900bfb3049ee665c83b66c267bc28ee9c0a
SHA512 87d9fef05714aac3dbfa17e64677160a390d85ae0346cee420e55839572556590cdde0753ecd285d250ec78442a6ecf08a4f7807d1164950158dedd51998f8f0

memory/2060-7-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/3620-10-0x0000000000400000-0x000000000044E29C-memory.dmp

memory/2060-14-0x0000000000400000-0x000000000044E29C-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\vymwi.cc3

MD5 819eff2cb0c3d6aab89eae1532939bc6
SHA1 a066f6e598386ee2a87a03b21c7ef46faa284b0e
SHA256 a2b5f6395998c5723b5cedd9cc02f0863198f2c3dc753d6056aeea97a51b4527
SHA512 d320503c2c3e0c0b3cbeb5144579bc298c78c74b5fc3b1b6d9e273cc5b1ee40a6017380e280c20f205c62c10a9c11efc865661bfcdff02ca9836c20be703e44e

memory/5068-18-0x00000000017E0000-0x00000000017E1000-memory.dmp

memory/5068-20-0x0000000020000000-0x0000000020027000-memory.dmp

memory/908-22-0x00000000011C0000-0x00000000011C1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 110977b10ff698183a821c3a23a4ce6e
SHA1 dad6d6ffccb67205157164f478c07edd7981bf25
SHA256 a0483f5aab467488e5f948c275c08ef54335a5f3df30b1d9895d2901e2a3bb14
SHA512 92ac52ee5c0212b5814833919eb447946bbd935d5aa834e666ae57490ca8e6bea191d10238d2db1fba6deefe1f24d6cc18443ea290a30f72ca786876dde9541a

memory/908-25-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4384-27-0x00000000011F0000-0x00000000011F1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 b184afa1e84bf5872a392474d782bd4a
SHA1 9828cf97410e31884ceeb018a15599654b50cee3
SHA256 913577107f54d0f57851d06cc2dc288eeba04153987ce942b28ac4cd1ac9662a
SHA512 030fcaa185107f14166e41c3d7650b8830055802123385f7424c7a339cf69c47cc6835aa1a8c18e99720c7e1e793b9fad4f1dfb32b1b6273f795079debf87c6e

memory/4384-30-0x0000000020000000-0x0000000020027000-memory.dmp