Malware Analysis Report

2025-08-06 01:47

Sample ID 241031-cfp9ssvrb1
Target 811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118
SHA256 72ec34ebd451df15a97e84de221a4536d57fd18f4076104219fa2b582d05cfb1
Tags
gh0strat discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72ec34ebd451df15a97e84de221a4536d57fd18f4076104219fa2b582d05cfb1

Threat Level: Known bad

The file 811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery persistence rat

Gh0st RAT payload

Gh0strat

Gh0strat family

Server Software Component: Terminal Services DLL

Drops file in Drivers directory

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:01

Reported

2024-10-31 02:33

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Windows\SysWOW64\svchost.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilitysrc.dll" C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilitysrc.dll C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobaiwar.3322.org udp

Files

memory/2276-0-0x0000000000400000-0x000000000042D200-memory.dmp

memory/2276-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\259447961_ex.tmp

MD5 c65b9fc9b20c04fef794df9f28e857b1
SHA1 24e34980d4e6d997776af4404da2f2c0f45ed2b2
SHA256 865aba90524884defc88fe104281c7d63db52a3706dc892ac542233a1b7f795a
SHA512 fb8f4b95ff3b17997dad32f046e9b929d0f8e038ef8d2bca69424ea1406b60bf0b3a42370f0889382fd765d1673d0e1638050ff8c81ec7c5c68c144a5e073ec9

C:\Users\Admin\AppData\Local\Temp\259448023_res.tmp

MD5 fa331bd116366e9597b98bea8f34f80d
SHA1 0e7b399fa831882e03c18a963b5e43267992a370
SHA256 c880a0a73d1f20819a5ba5614f5a5976c9c5850e7136f45d629ebb6d254705cb
SHA512 9f26c0dd86bdb9b2086f6452f340e2c06028a4396d8c7e647e8bebd354e4b92b1933b95af55d2c2b34cbd2634db97f8cba970b6c05cbd528f5848348d4baf4f5

memory/2276-12-0x0000000000400000-0x000000000042D200-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:01

Reported

2024-10-31 02:33

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys C:\Windows\SysWOW64\svchost.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilitysrc.dll" C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilitysrc.dll C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 mobaiwar.3322.org udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/4332-0-0x0000000000400000-0x000000000042D200-memory.dmp

memory/4332-1-0x0000000000500000-0x0000000000501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240621953_ex.tmp

MD5 c65b9fc9b20c04fef794df9f28e857b1
SHA1 24e34980d4e6d997776af4404da2f2c0f45ed2b2
SHA256 865aba90524884defc88fe104281c7d63db52a3706dc892ac542233a1b7f795a
SHA512 fb8f4b95ff3b17997dad32f046e9b929d0f8e038ef8d2bca69424ea1406b60bf0b3a42370f0889382fd765d1673d0e1638050ff8c81ec7c5c68c144a5e073ec9

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilitysrc.dll

MD5 fa331bd116366e9597b98bea8f34f80d
SHA1 0e7b399fa831882e03c18a963b5e43267992a370
SHA256 c880a0a73d1f20819a5ba5614f5a5976c9c5850e7136f45d629ebb6d254705cb
SHA512 9f26c0dd86bdb9b2086f6452f340e2c06028a4396d8c7e647e8bebd354e4b92b1933b95af55d2c2b34cbd2634db97f8cba970b6c05cbd528f5848348d4baf4f5

memory/4332-13-0x0000000000400000-0x000000000042D200-memory.dmp