Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-1z69eszkex
Target 7ce256076e57d662a6e0b72edc562542_JaffaCakes118
SHA256 052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271
Tags
gh0strat discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271

Threat Level: Known bad

The file 7ce256076e57d662a6e0b72edc562542_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery rat

Gh0strat family

Gh0strat

Gh0st RAT payload

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Deletes itself

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:06

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat family

gh0strat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 22:06

Reported

2024-10-29 22:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\FileName.jpg C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A
File created C:\Windows\FileName.jpg C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 sjzn.9966.org udp
CN 218.12.54.14:81 sjzn.9966.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 sjzn.9966.org udp
CN 218.12.54.14:81 sjzn.9966.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 sjzn.9966.org udp
CN 218.12.54.14:81 sjzn.9966.org tcp
N/A 52.168.117.170:443 tcp

Files

memory/3556-0-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cni8414.tmp

MD5 685f1cbd4af30a1d0c25f252d399a666
SHA1 6a1b978f5e6150b88c8634146f1406ed97d2f134
SHA256 0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA512 6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

memory/3556-6-0x00000000021C0000-0x0000000002233000-memory.dmp

C:\851100.dll

MD5 a11638396cc03a0c5d9b884caf3a2f49
SHA1 c8e7eee257e14e07c5e8c0e77b3ac60e607308a0
SHA256 328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e
SHA512 929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8

\??\c:\windows\filename.jpg

MD5 23a4a59f17d46fdaf1843d5ea2a005bb
SHA1 3b2da684fb2a39525e2b2b96c971e6657682b412
SHA256 fdf6afac9b6a725b341f4f6084a3cc47da5c7027faef117552f26a54cc58e18f
SHA512 e1f4ee055267c2ad458c03f5d5abd1bdf84a6e7f1e9ec214bc07dac804e4d6322074fd23ad8d9acdcabb7936465589a1e28188f4bd59ad4c2567b83419a8724e

memory/3556-21-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3556-20-0x00000000021C0000-0x0000000002233000-memory.dmp

\??\c:\NT_Path.jpg

MD5 c6bf54463aef440a5df8b34a0b3d1c0b
SHA1 773e95f68e4d055577f4d2f3dcca81517e463fcf
SHA256 8e18768dda394bf613fcc1449cdcb41feaa286682f4db3837552ed8b34a2ffab
SHA512 333fae7557c2511b8b61d3b2ccb48f1c92307240c7ba64b62ca7318f191ac0b960f47af607c7123691da8437f40a52862a6c9b8d19da95789f617614ea6ab63f

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:06

Reported

2024-10-29 22:08

Platform

win7-20241010-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\FileName.jpg C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A
File created C:\Windows\FileName.jpg C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k imgsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjzn.9966.org udp
CN 218.12.54.14:81 sjzn.9966.org tcp
US 8.8.8.8:53 sjzn.9966.org udp
CN 218.12.54.14:81 sjzn.9966.org tcp
US 8.8.8.8:53 sjzn.9966.org udp
CN 218.12.54.14:81 sjzn.9966.org tcp

Files

memory/2736-0-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2736-2-0x00000000001D0000-0x00000000001F7000-memory.dmp

memory/2736-1-0x00000000001D0000-0x00000000001F7000-memory.dmp

memory/2736-4-0x00000000001D0000-0x00000000001F7000-memory.dmp

\Users\Admin\AppData\Local\Temp\hml7A4E.tmp

MD5 685f1cbd4af30a1d0c25f252d399a666
SHA1 6a1b978f5e6150b88c8634146f1406ed97d2f134
SHA256 0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA512 6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

memory/2736-8-0x00000000004A0000-0x0000000000513000-memory.dmp

C:\Windows\FileName.jpg

MD5 13c90fe45c094ab94b9b59b4932d9b72
SHA1 fbcc642e6d01e73b3a15fcaf85bf8726b4346279
SHA256 fbfc2c293c2b404b95e36a465faf58533e645e7f6104b8ea37e20a7e2349a329
SHA512 e6811bd7fc8495d4695c74fb49aea0d199bf938d78f8e9d1aa8294f7528dd5e0d391180596dd506b07656f1415c2b86f34091fb2bbe655adf3eb006425773954

memory/2736-17-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2736-18-0x00000000004A0000-0x0000000000513000-memory.dmp

memory/2736-20-0x00000000001D0000-0x00000000001DD000-memory.dmp

memory/2736-19-0x0000000010000000-0x000000001001E000-memory.dmp

C:\3224400.dll

MD5 a11638396cc03a0c5d9b884caf3a2f49
SHA1 c8e7eee257e14e07c5e8c0e77b3ac60e607308a0
SHA256 328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e
SHA512 929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8

\??\c:\NT_Path.jpg

MD5 a979ea484d61a85dba13ecff470331c4
SHA1 33e436395aa6d706d1c2bd85d3d9a23b29487089
SHA256 9d21a3d928ff67a542d0338e16ef9526fc2700da93fdb146d8550ab667e4e7e4
SHA512 5ad2c6ffa2bdea4a38b5b0b718ca6cfa29f84b945baad47dbad50e23b0f054b97249875d85aa67063170ac458295ef01b604ebc811afb61e63800de50572f856

memory/2780-23-0x0000000010000000-0x000000001001E000-memory.dmp