Analysis Overview
SHA256
e290f43ea55d8d8f500cef14ba9170a6faa2a4c72efc27167848f624a055a0bb
Threat Level: Known bad
The file c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:36
Reported
2024-08-25 09:38
Platform
win7-20240708-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Windows\svchest000.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Windows\BJ.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| File created | \??\c:\Windows\BJ.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| File created | \??\c:\Windows\svchest000.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Windows\svchest000.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Windows\svchest000.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest000.exe |
| PID 2104 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest000.exe |
| PID 2104 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest000.exe |
| PID 2104 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest000.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe"
\??\c:\Windows\svchest000.exe
c:\Windows\svchest000.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aa0533.3322.org | udp |
Files
memory/2104-0-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-1-0x00000000002C0000-0x00000000002FE000-memory.dmp
memory/2104-2-0x00000000002C0000-0x00000000002FE000-memory.dmp
memory/2104-6-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2104-5-0x0000000000300000-0x0000000000302000-memory.dmp
memory/2104-4-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2104-3-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-16-0x0000000002D70000-0x0000000002EBB000-memory.dmp
memory/2104-11-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-10-0x0000000000401000-0x0000000000468000-memory.dmp
memory/2104-9-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-8-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-7-0x0000000000400000-0x000000000054B000-memory.dmp
C:\Windows\svchest000.exe
| MD5 | c073faa7326b20c97d4a144d6f149cf8 |
| SHA1 | eff9d0e9e96d7945d9f823ee66f6e552a38c153c |
| SHA256 | e290f43ea55d8d8f500cef14ba9170a6faa2a4c72efc27167848f624a055a0bb |
| SHA512 | f52530895cbf074fb4bc579d31b6c643e3f51f6bd9771d69c73b2805284e467200025a1fa1a0b72004ecb9e0dacbc26fb2879f3f4261ba8c7853c36b9a8fe6db |
memory/2560-19-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-20-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-21-0x0000000000260000-0x000000000029E000-memory.dmp
memory/2560-24-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-30-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-29-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-28-0x0000000000260000-0x000000000029E000-memory.dmp
memory/2560-27-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-25-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-26-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-23-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2560-22-0x0000000000400000-0x000000000054B000-memory.dmp
memory/2104-33-0x00000000002C0000-0x00000000002FE000-memory.dmp
memory/2104-34-0x0000000002D70000-0x0000000002EBB000-memory.dmp
memory/2104-35-0x0000000000400000-0x000000000054B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:36
Reported
2024-08-25 09:38
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Windows\svchest425075242507520.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\BJ.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Windows\BJ.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| File created | \??\c:\Windows\svchest425075242507520.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Windows\svchest425075242507520.exe | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Windows\svchest425075242507520.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5064 wrote to memory of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest425075242507520.exe |
| PID 5064 wrote to memory of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest425075242507520.exe |
| PID 5064 wrote to memory of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe | \??\c:\Windows\svchest425075242507520.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c073faa7326b20c97d4a144d6f149cf8_JaffaCakes118.exe"
\??\c:\Windows\svchest425075242507520.exe
c:\Windows\svchest425075242507520.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aa0533.3322.org | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/5064-0-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-6-0x0000000000660000-0x0000000000661000-memory.dmp
memory/5064-7-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-9-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-10-0x0000000000401000-0x0000000000468000-memory.dmp
memory/5064-8-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-11-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-5-0x0000000000680000-0x0000000000681000-memory.dmp
memory/5064-4-0x0000000000670000-0x0000000000672000-memory.dmp
\??\c:\Windows\svchest425075242507520.exe
| MD5 | c073faa7326b20c97d4a144d6f149cf8 |
| SHA1 | eff9d0e9e96d7945d9f823ee66f6e552a38c153c |
| SHA256 | e290f43ea55d8d8f500cef14ba9170a6faa2a4c72efc27167848f624a055a0bb |
| SHA512 | f52530895cbf074fb4bc579d31b6c643e3f51f6bd9771d69c73b2805284e467200025a1fa1a0b72004ecb9e0dacbc26fb2879f3f4261ba8c7853c36b9a8fe6db |
memory/5064-2-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-3-0x0000000000820000-0x000000000085E000-memory.dmp
memory/5064-1-0x0000000000820000-0x000000000085E000-memory.dmp
memory/3504-19-0x00000000005D0000-0x000000000060E000-memory.dmp
memory/3504-23-0x0000000000400000-0x000000000054B000-memory.dmp
memory/3504-22-0x0000000000400000-0x000000000054B000-memory.dmp
memory/3504-26-0x0000000000400000-0x000000000054B000-memory.dmp
memory/3504-25-0x00000000005D0000-0x000000000060E000-memory.dmp
memory/3504-21-0x0000000000400000-0x000000000054B000-memory.dmp
memory/3504-20-0x0000000000400000-0x000000000054B000-memory.dmp
memory/3504-24-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-28-0x0000000000400000-0x000000000054B000-memory.dmp
memory/5064-29-0x0000000000820000-0x000000000085E000-memory.dmp
memory/5064-30-0x0000000000400000-0x000000000054B000-memory.dmp