Analysis Overview
SHA256
414f9780c0eac8892ddc5951822905db88d59e6ab101cfaeeee537c505023eed
Threat Level: Known bad
The file 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Gh0strat family
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-24 20:02
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-24 20:02
Reported
2024-06-24 20:04
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
51s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\wi240599062nd.temp | C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4344 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Rundlla.dll, CodeMain lpServiceName
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:8786 | tcp | |
| N/A | 127.0.0.1:8786 | tcp | |
| N/A | 127.0.0.1:8786 | tcp |
Files
memory/4344-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\Rundlla.dll
| MD5 | e3ca679c81b48fc1b3ec0fc6d06c1dc8 |
| SHA1 | 57d5b6ba461cc763212c2f979f20f5dc17c19a77 |
| SHA256 | 5889004ff0ae3f671a25ab79e9bf76fa13a025467adaeed15a702b00d08cee76 |
| SHA512 | 85f30584253ce9b62217c764ee4687a9f2530574dc88fa4a8191a68115ecf6d3c6faca8118a6c20e3553b6a55dbd6a35696d533d59f4e29ae0d5bf8e66b5eae9 |
memory/4344-6-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-24 20:02
Reported
2024-06-24 20:04
Platform
win7-20240611-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\wi259401052nd.temp | C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Rundlla.dll, CodeMain lpServiceName
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:8786 | tcp | |
| N/A | 127.0.0.1:8786 | tcp | |
| N/A | 127.0.0.1:8786 | tcp |
Files
memory/2836-2-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\Rundlla.dll
| MD5 | e3ca679c81b48fc1b3ec0fc6d06c1dc8 |
| SHA1 | 57d5b6ba461cc763212c2f979f20f5dc17c19a77 |
| SHA256 | 5889004ff0ae3f671a25ab79e9bf76fa13a025467adaeed15a702b00d08cee76 |
| SHA512 | 85f30584253ce9b62217c764ee4687a9f2530574dc88fa4a8191a68115ecf6d3c6faca8118a6c20e3553b6a55dbd6a35696d533d59f4e29ae0d5bf8e66b5eae9 |
memory/2836-9-0x0000000000400000-0x000000000042A000-memory.dmp