Malware Analysis Report

2025-03-15 06:33

Sample ID 240624-ypb97azgmb
Target 0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118
SHA256 a8e61c2a9ec74f9de2c7342d6aca09bd6d3037ad6f47dd02726e50eef553260c
Tags
upx gh0strat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8e61c2a9ec74f9de2c7342d6aca09bd6d3037ad6f47dd02726e50eef553260c

Threat Level: Known bad

The file 0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx gh0strat rat

Gh0st RAT payload

Gh0strat

Gh0strat family

Deletes itself

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-24 19:57

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 19:57

Reported

2024-06-24 19:59

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe"

Network

N/A

Files

memory/2368-1-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 19:57

Reported

2024-06-24 19:59

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\erqlrwmite C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\eaffaaoghy C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\eaffaaoghy C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\ejcsjtjlhj C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Tencent\%SESSIONNAME%\pfkdf.xm \??\c:\users\admin\appdata\local\pqosvqphcu N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A
N/A N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\pqosvqphcu N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\pqosvqphcu

"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a8df3f09733e758a21b2f081f4e56fc_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1088

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 880

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 820

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 113.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

memory/1640-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\pqosvqphcu

MD5 6ca60b7955e288fdb3e5715de0725dee
SHA1 5ecf07516bc9eb845e381d79c4b41574d394147e
SHA256 6bdb61eae76ffd0086abf3ca9f702adfa774ab56914210feaf7ed17fe330fef6
SHA512 8e009a63aa664e93400feda3be58d39b6d036ac2a43cb7c350a11b22f6273a30c02f95ec164fba0a5b99b7c861ba72d14f75081296c054374090d6f3d61d6d55

memory/1640-7-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3740-8-0x0000000000400000-0x0000000000436000-memory.dmp

\??\c:\program files (x86)\tencent\%sessionname%\pfkdf.xm

MD5 ba4515873674fa81363e6bdcc34f7415
SHA1 71b8b28bfd66964fd9bb77977312352b5574ae79
SHA256 904c90a40abfdd45dde701e04c166239e2e99f042edda8e45158de8088471e2c
SHA512 a68fb1ac3b096e72b0479502635df17ac3f5180c06a553e5bf15ae8c2222ab775bf14bf066735b7c1d7f6c811bece070432295fede8fb93301f961e27b37247f

memory/3740-13-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4436-14-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/4436-16-0x0000000020000000-0x0000000020027000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 d41463aaaf713e8800648adf7340cd50
SHA1 9d50734007e018bd90a606729913302c83de7f41
SHA256 c6ace6432658275a11973ad7d76099fde7152a2bb307dcc97747d349a5868d0b
SHA512 c37a5dbdf800d469e895cb512d4976a88eee9588f213cd3ae61f82b11ba48c885b7efadc2e0aacff3013810c614b4aa3700dfd5cfaf80d9639302bb627a952d1

memory/4960-21-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4680-23-0x0000000001390000-0x0000000001391000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 70c2ba1b248ef1d976b516a2d538b058
SHA1 854767fd4beaf1fa03d52d8b1113b6017f908162
SHA256 440d2449e05b281d3a22ec632f7fbb2a264b13a0257c8020eea1f96767214012
SHA512 bb84aaa66eb3bd777556cac075ed35094edeab478b4e5babc0c09b75aa5c68d250b13a5be3bf0c8fea52a0064bd80ea417dbe0af4ea0e757f708aeefb08fabc4

memory/4680-26-0x0000000020000000-0x0000000020027000-memory.dmp