Analysis Overview
SHA256
edfdb2154972ef6d6975ea991e518c70fca4b0e3cbf5232da271d8d0cf75d849
Threat Level: Known bad
The file 7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Gh0strat family
Server Software Component: Terminal Services DLL
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 23:00
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 23:00
Reported
2024-10-29 23:03
Platform
win7-20240708-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\360safe.dll" | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | huangdaibing.3322.org | udp |
Files
\??\c:\documents and settings\local user\360safe.dll
| MD5 | 7ef6dab74ee4b2a2d27a0bea76adc2e5 |
| SHA1 | 01764a576c2823f40746e48a060d73cf3408d501 |
| SHA256 | 2f1b66ae6495ed7a44e39b93ea06995a223f2846641501fb03c07c8d5d0c960a |
| SHA512 | 85ae2d911b827db3b655db157744eae3532657a4218c70d7c80b44404b8179a3c3b1763d725eb511971e29c74b0b69e158054a3746fc47d0e5bb498b9781aa2d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 23:00
Reported
2024-10-29 23:03
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\360safe.dll" | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d0b60d0835c3add992af1524c4dec8f_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | huangdaibing.3322.org | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | huangdaibing.3322.org | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | huangdaibing.3322.org | udp |
Files
\??\c:\documents and settings\local user\360safe.dll
| MD5 | 7ef6dab74ee4b2a2d27a0bea76adc2e5 |
| SHA1 | 01764a576c2823f40746e48a060d73cf3408d501 |
| SHA256 | 2f1b66ae6495ed7a44e39b93ea06995a223f2846641501fb03c07c8d5d0c960a |
| SHA512 | 85ae2d911b827db3b655db157744eae3532657a4218c70d7c80b44404b8179a3c3b1763d725eb511971e29c74b0b69e158054a3746fc47d0e5bb498b9781aa2d |