Malware Analysis Report

2025-08-11 07:36

Sample ID 241015-26h1vawelk
Target 4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118
SHA256 fb96749e82468a71f853f561482faac7201aed43021ce97f6dcdd6a6e5b4e9ee
Tags
gh0strat bootkit discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb96749e82468a71f853f561482faac7201aed43021ce97f6dcdd6a6e5b4e9ee

Threat Level: Known bad

The file 4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit discovery persistence rat

Gh0strat

Gh0st RAT payload

Loads dropped DLL

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 23:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 23:11

Reported

2024-10-15 23:14

Platform

win7-20240903-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hjeagrcpbx C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\hrstoufnos C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\hwsubgqnoj N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\hwsubgqnoj N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\hwsubgqnoj

"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\4a6ee7aa6ca06a659c4ff203a49aaee1_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
KR 59.24.3.174:889 bibo9.8800.org tcp
US 8.8.8.8:53 bibo9.8800.org udp
US 8.7.198.46:889 bibo9.8800.org tcp

Files

memory/2372-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2372-1-0x0000000000400000-0x000000000044E5F0-memory.dmp

\Users\Admin\AppData\Local\hwsubgqnoj

MD5 38365b1e6f35a7b3a8b7363d99aa3c07
SHA1 c6f2e54b8c86b1114211abeeb49b61cc02840977
SHA256 e41659b1545b9cd3dddcaea82b275d80c83df08ec2138aa53ef275ce550d8319
SHA512 c76c40784701247401f5b1f62ebb46bac92ff682f41cb48afddff972154e62f8ced5770e5768422814064a212288bd084005b1ed829e7cf04f9c33e7a997d2ad

memory/2780-15-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2780-14-0x0000000000400000-0x000000000044E5F0-memory.dmp

memory/2372-11-0x0000000000400000-0x000000000044E5F0-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\nnemo.cc3

MD5 64c57d6d0ab5fc4c8586e9719c6a34c9
SHA1 3b48cb0fa64f0b568101b4323c682a7b1f26c646
SHA256 e9df848a2997f07451059c46486e1a280e831b4656e4fe0112a8538ea51977b5
SHA512 9750fe1785ce1d4301580f1f15d7bde0eb516b7f1f74197bacb90cb9ce588ff53c3a70e477912e065d9380af65dd96856c69a12e6d5875777f69d4ba00e33d9f

memory/2780-20-0x0000000000400000-0x000000000044E5F0-memory.dmp

memory/2548-21-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2372-22-0x0000000000400000-0x000000000044E5F0-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 23:11

Reported

2024-10-15 23:14

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hrjynemgce C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\hiuffbjioj C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\hrjynemgce C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\keidcgotgx N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A
N/A N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\keidcgotgx N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\keidcgotgx

"C:\Users\Admin\AppData\Local\Temp\4a6ee7aa6ca06a659c4ff203a49aaee1_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\4a6ee7aa6ca06a659c4ff203a49aaee1_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1324 -ip 1324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1060

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1532 -ip 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 920

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 872

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2236-0-0x0000000000400000-0x000000000044E5F0-memory.dmp

memory/2236-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2236-7-0x0000000000400000-0x000000000044E5F0-memory.dmp

\??\c:\users\admin\appdata\local\keidcgotgx

MD5 af9230ed7bcc824a2386f73b7ecea80b
SHA1 41ed7aa9944e6d5257854d0b6eb10560e71a37a9
SHA256 c85100def54e4d61dd8a4a2cd6a739c8c539cf16a7c2a6e9d4c5158d98af2aa4
SHA512 463c86b4e8e990a3b4a94a948570a336767d1270d68a786c58c6ff020b1061bdcde3843264b1957c5a0a3043fefeb65677db3348aa7f32fa2074333e1b739d72

memory/1236-11-0x0000000000400000-0x000000000044E5F0-memory.dmp

memory/1236-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\vjfig.cc3

MD5 129cca7c2b978b6b3038b13f20055f85
SHA1 90839572dcd475fea5ae074b6c96c47695e856e8
SHA256 ac81f6bf834f3acd493350d94c251b5845ffd162794a58df07683a2c9264a092
SHA512 9eefc92053f3298f827e1d964601e753df28c9f955847603dbc484730f77e2f3a90baeb7761af682d043e8af1e6ea9952ed069294c42c5ce682239eab88bbba6

memory/1236-16-0x0000000000400000-0x000000000044E5F0-memory.dmp

memory/1324-17-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/1324-19-0x0000000020000000-0x0000000020027000-memory.dmp

memory/1532-21-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 001716964717315f80ccef7d40dc711e
SHA1 ca321b2af04b2c682ef097d0593e45e28c8ecf25
SHA256 97184e87435d9de480111c3127671f4e267cadaef96d033ea1cd6c7276b0fa09
SHA512 fb0e0a59a68fee371b1476c8ac206523451c54d4d72a1175a6e7dc5f5963fcee1429a9091feea1e63c3dd3fb07bb2aa9666ba9cbda20da2fb4f31f7a8e5c5a08

memory/1532-24-0x0000000020000000-0x0000000020027000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 d2b54ce0bd5ee98c4926aafee7d1be76
SHA1 dfbfe1990c5bfa97a2c141a35a083c97477ca6e1
SHA256 20332f0815ef2a968154076b3ec5357ba10bc814a256d0a35c6008e70c0bf424
SHA512 ba05839b2c10e99d2e17de7c307bb28229857323bdcbe7daf277b1c0d50762db3d25d759a14106fabf61f3678e8acb483e1c5e53f3e3aae4cbd8632489047782

memory/4936-29-0x0000000020000000-0x0000000020027000-memory.dmp