Analysis Overview
SHA256
052abface6a82556781baf6890586267f6d18fc9750f7a0e880552d73d46a271
Threat Level: Known bad
The file 7ce256076e57d662a6e0b72edc562542_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
Gh0strat
Gh0st RAT payload
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Deletes itself
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 22:06
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 22:06
Reported
2024-10-29 22:08
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\FileName.jpg | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| File created | C:\Windows\FileName.jpg | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 167.57.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjzn.9966.org | udp |
| CN | 218.12.54.14:81 | sjzn.9966.org | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjzn.9966.org | udp |
| CN | 218.12.54.14:81 | sjzn.9966.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjzn.9966.org | udp |
| CN | 218.12.54.14:81 | sjzn.9966.org | tcp |
| N/A | 52.168.117.170:443 | tcp |
Files
memory/3556-0-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cni8414.tmp
| MD5 | 685f1cbd4af30a1d0c25f252d399a666 |
| SHA1 | 6a1b978f5e6150b88c8634146f1406ed97d2f134 |
| SHA256 | 0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4 |
| SHA512 | 6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9 |
memory/3556-6-0x00000000021C0000-0x0000000002233000-memory.dmp
C:\851100.dll
| MD5 | a11638396cc03a0c5d9b884caf3a2f49 |
| SHA1 | c8e7eee257e14e07c5e8c0e77b3ac60e607308a0 |
| SHA256 | 328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e |
| SHA512 | 929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8 |
\??\c:\windows\filename.jpg
| MD5 | 23a4a59f17d46fdaf1843d5ea2a005bb |
| SHA1 | 3b2da684fb2a39525e2b2b96c971e6657682b412 |
| SHA256 | fdf6afac9b6a725b341f4f6084a3cc47da5c7027faef117552f26a54cc58e18f |
| SHA512 | e1f4ee055267c2ad458c03f5d5abd1bdf84a6e7f1e9ec214bc07dac804e4d6322074fd23ad8d9acdcabb7936465589a1e28188f4bd59ad4c2567b83419a8724e |
memory/3556-21-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3556-20-0x00000000021C0000-0x0000000002233000-memory.dmp
\??\c:\NT_Path.jpg
| MD5 | c6bf54463aef440a5df8b34a0b3d1c0b |
| SHA1 | 773e95f68e4d055577f4d2f3dcca81517e463fcf |
| SHA256 | 8e18768dda394bf613fcc1449cdcb41feaa286682f4db3837552ed8b34a2ffab |
| SHA512 | 333fae7557c2511b8b61d3b2ccb48f1c92307240c7ba64b62ca7318f191ac0b960f47af607c7123691da8437f40a52862a6c9b8d19da95789f617614ea6ab63f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 22:06
Reported
2024-10-29 22:08
Platform
win7-20241010-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\FileName.jpg | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| File created | C:\Windows\FileName.jpg | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ce256076e57d662a6e0b72edc562542_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjzn.9966.org | udp |
| CN | 218.12.54.14:81 | sjzn.9966.org | tcp |
| US | 8.8.8.8:53 | sjzn.9966.org | udp |
| CN | 218.12.54.14:81 | sjzn.9966.org | tcp |
| US | 8.8.8.8:53 | sjzn.9966.org | udp |
| CN | 218.12.54.14:81 | sjzn.9966.org | tcp |
Files
memory/2736-0-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2736-2-0x00000000001D0000-0x00000000001F7000-memory.dmp
memory/2736-1-0x00000000001D0000-0x00000000001F7000-memory.dmp
memory/2736-4-0x00000000001D0000-0x00000000001F7000-memory.dmp
\Users\Admin\AppData\Local\Temp\hml7A4E.tmp
| MD5 | 685f1cbd4af30a1d0c25f252d399a666 |
| SHA1 | 6a1b978f5e6150b88c8634146f1406ed97d2f134 |
| SHA256 | 0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4 |
| SHA512 | 6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9 |
memory/2736-8-0x00000000004A0000-0x0000000000513000-memory.dmp
C:\Windows\FileName.jpg
| MD5 | 13c90fe45c094ab94b9b59b4932d9b72 |
| SHA1 | fbcc642e6d01e73b3a15fcaf85bf8726b4346279 |
| SHA256 | fbfc2c293c2b404b95e36a465faf58533e645e7f6104b8ea37e20a7e2349a329 |
| SHA512 | e6811bd7fc8495d4695c74fb49aea0d199bf938d78f8e9d1aa8294f7528dd5e0d391180596dd506b07656f1415c2b86f34091fb2bbe655adf3eb006425773954 |
memory/2736-17-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2736-18-0x00000000004A0000-0x0000000000513000-memory.dmp
memory/2736-20-0x00000000001D0000-0x00000000001DD000-memory.dmp
memory/2736-19-0x0000000010000000-0x000000001001E000-memory.dmp
C:\3224400.dll
| MD5 | a11638396cc03a0c5d9b884caf3a2f49 |
| SHA1 | c8e7eee257e14e07c5e8c0e77b3ac60e607308a0 |
| SHA256 | 328c0d1f7c0f110b9c1687d30c075bcae1ea542340e3af91d449c72d41cb764e |
| SHA512 | 929417a9d24c379d6317a5f2a169e444f22254c5484318661d4199a768adbc549bf0ce7b615140b6e321734e062c04f21c2cba77a52c0a548856aa009a43fec8 |
\??\c:\NT_Path.jpg
| MD5 | a979ea484d61a85dba13ecff470331c4 |
| SHA1 | 33e436395aa6d706d1c2bd85d3d9a23b29487089 |
| SHA256 | 9d21a3d928ff67a542d0338e16ef9526fc2700da93fdb146d8550ab667e4e7e4 |
| SHA512 | 5ad2c6ffa2bdea4a38b5b0b718ca6cfa29f84b945baad47dbad50e23b0f054b97249875d85aa67063170ac458295ef01b604ebc811afb61e63800de50572f856 |
memory/2780-23-0x0000000010000000-0x000000001001E000-memory.dmp