Analysis Overview
SHA256
72ec34ebd451df15a97e84de221a4536d57fd18f4076104219fa2b582d05cfb1
Threat Level: Known bad
The file 811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Gh0strat family
Server Software Component: Terminal Services DLL
Drops file in Drivers directory
Deletes itself
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:01
Reported
2024-10-31 02:33
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Drivers\beep.sys | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Drivers\beep.sys | C:\Windows\SysWOW64\svchost.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilitysrc.dll" | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\FastUserSwitchingCompatibilitysrc.dll | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
Files
memory/2276-0-0x0000000000400000-0x000000000042D200-memory.dmp
memory/2276-1-0x0000000000020000-0x0000000000021000-memory.dmp
\Users\Admin\AppData\Local\Temp\259447961_ex.tmp
| MD5 | c65b9fc9b20c04fef794df9f28e857b1 |
| SHA1 | 24e34980d4e6d997776af4404da2f2c0f45ed2b2 |
| SHA256 | 865aba90524884defc88fe104281c7d63db52a3706dc892ac542233a1b7f795a |
| SHA512 | fb8f4b95ff3b17997dad32f046e9b929d0f8e038ef8d2bca69424ea1406b60bf0b3a42370f0889382fd765d1673d0e1638050ff8c81ec7c5c68c144a5e073ec9 |
C:\Users\Admin\AppData\Local\Temp\259448023_res.tmp
| MD5 | fa331bd116366e9597b98bea8f34f80d |
| SHA1 | 0e7b399fa831882e03c18a963b5e43267992a370 |
| SHA256 | c880a0a73d1f20819a5ba5614f5a5976c9c5850e7136f45d629ebb6d254705cb |
| SHA512 | 9f26c0dd86bdb9b2086f6452f340e2c06028a4396d8c7e647e8bebd354e4b92b1933b95af55d2c2b34cbd2634db97f8cba970b6c05cbd528f5848348d4baf4f5 |
memory/2276-12-0x0000000000400000-0x000000000042D200-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 02:01
Reported
2024-10-31 02:33
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Drivers\beep.sys | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Drivers\beep.sys | C:\Windows\SysWOW64\svchost.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilitysrc.dll" | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\FastUserSwitchingCompatibilitysrc.dll | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\811f4d41999f74d8d43ad15bca1ae828_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | mobaiwar.3322.org | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/4332-0-0x0000000000400000-0x000000000042D200-memory.dmp
memory/4332-1-0x0000000000500000-0x0000000000501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240621953_ex.tmp
| MD5 | c65b9fc9b20c04fef794df9f28e857b1 |
| SHA1 | 24e34980d4e6d997776af4404da2f2c0f45ed2b2 |
| SHA256 | 865aba90524884defc88fe104281c7d63db52a3706dc892ac542233a1b7f795a |
| SHA512 | fb8f4b95ff3b17997dad32f046e9b929d0f8e038ef8d2bca69424ea1406b60bf0b3a42370f0889382fd765d1673d0e1638050ff8c81ec7c5c68c144a5e073ec9 |
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilitysrc.dll
| MD5 | fa331bd116366e9597b98bea8f34f80d |
| SHA1 | 0e7b399fa831882e03c18a963b5e43267992a370 |
| SHA256 | c880a0a73d1f20819a5ba5614f5a5976c9c5850e7136f45d629ebb6d254705cb |
| SHA512 | 9f26c0dd86bdb9b2086f6452f340e2c06028a4396d8c7e647e8bebd354e4b92b1933b95af55d2c2b34cbd2634db97f8cba970b6c05cbd528f5848348d4baf4f5 |
memory/4332-13-0x0000000000400000-0x000000000042D200-memory.dmp