Malware Analysis Report

2025-06-15 23:35

Sample ID 241031-r3gcqszflf
Target 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118
SHA256 6796c3d66bdf05fc451590201e40f1c066086055ef177eb0877316a70a9d5067
Tags
gh0strat bootkit discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6796c3d66bdf05fc451590201e40f1c066086055ef177eb0877316a70a9d5067

Threat Level: Known bad

The file 8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gh0strat bootkit discovery persistence rat

Gh0st RAT payload

Gh0strat family

Gh0strat

Executes dropped EXE

Loads dropped DLL

Deletes itself

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 14:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 14:42

Reported

2024-10-31 14:50

Platform

win7-20240903-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bgtghixaau C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\ghttdjkwpr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\ghttdjkwpr N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\ghttdjkwpr

"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8350a889a8d1c4cae4fe512d2c17b082_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

Network

Country Destination Domain Proto
US 8.8.8.8:53 bibo9.8800.org udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 www.baidu.com udp

Files

memory/2572-1-0x0000000000400000-0x000000000044E4A4-memory.dmp

memory/2572-2-0x0000000000030000-0x0000000000031000-memory.dmp

\Users\Admin\AppData\Local\ghttdjkwpr

MD5 46a15db6efdfc526330e1d6a7a59e6e4
SHA1 4f3410aedd656aeaff2070131bc2114739030321
SHA256 0b30f1d2173aea0ac47ca3d14fdca3ddb7a6483fb9cadde5ba3738a2e78e68c5
SHA512 bd9160e717513225784e31b74e98bd9add1fea5d549cb979e2c25395ea7cecff893637af450c5409e3b16f13553c58d95e705a0aee7c21f96b936190a40905fb

memory/2572-7-0x00000000002C0000-0x000000000030F000-memory.dmp

memory/2248-15-0x0000000000400000-0x000000000044E4A4-memory.dmp

memory/2572-13-0x0000000000400000-0x000000000044E4A4-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\bwpbd.cc3

MD5 14bf8ce06fefdd69f2124332bc3e2ec0
SHA1 d848fd0b291221272eac8202f03fb113fc4577e5
SHA256 ca01db264be789c6b60e5b7059a0ee724f62b06ff92be8e58e7049a868701f91
SHA512 8d648a9d10aed28799fe1a57679d62c92a268994965ee193d1e865ed4b7849da0b1815bdda8737cb0f3cae98ae9e0e554b7ea43d42abc0c43ba1c179d02c023f

memory/2248-22-0x0000000000400000-0x000000000044E4A4-memory.dmp

memory/2956-23-0x0000000000150000-0x0000000000151000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 14:42

Reported

2024-10-31 14:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\boxfouhqac C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\bxvsxocual C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\bgklgrfsng C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchost.exe.txt C:\Windows\SysWOW64\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\jhsiytrixg N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A
N/A N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\jhsiytrixg N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\jhsiytrixg

"C:\Users\Admin\AppData\Local\Temp\8350a889a8d1c4cae4fe512d2c17b082_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8350a889a8d1c4cae4fe512d2c17b082_jaffacakes118.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 736 -ip 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 804

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 624 -ip 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 940

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 880

Network

Country Destination Domain Proto
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2640-0-0x0000000000400000-0x000000000044E4A4-memory.dmp

memory/2640-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\jhsiytrixg

MD5 9a20dfa4e653c64a86d95d0486295d83
SHA1 0393cfe9709c363df1c49af5fb2e7930524de983
SHA256 c45540d46a8c39df6c01539db0d149f84e6948caabe39c49c99fccc5d8ddea2c
SHA512 b547b96a6600808a5bcdd6d66f3c955ca7a4b801210c356fc2ff7a70391d7f82463d1e34ec2128ba9068eb113f3aef77e8200291898aceafdb90e55d51215d62

memory/2640-12-0x0000000000400000-0x000000000044E4A4-memory.dmp

memory/3924-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/3924-9-0x0000000000400000-0x000000000044E4A4-memory.dmp

\??\c:\programdata\application data\storm\update\%sessionname%\qomeo.cc3

MD5 77f6e190203fd5307d8ff0427b39b496
SHA1 9afee72488de4ab9d9d95124d5b49123d98471df
SHA256 1471faabedaefe44bcf41f64bd55f0e27a849c4982548a6e242e63b9ee68b780
SHA512 2d9b073cd8f3eb16e8e6d42fb2374211a1108329ae4fd526815d14fbd47d7f5cd048dab20b32cd7edf00276e3880397016b6a65b826fd3f94764c814d62a09ac

memory/3924-18-0x0000000000400000-0x000000000044E4A4-memory.dmp

memory/736-19-0x0000000001B00000-0x0000000001B01000-memory.dmp

memory/736-21-0x0000000020000000-0x0000000020027000-memory.dmp

memory/624-23-0x0000000002080000-0x0000000002081000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 715b8d3e99de00dfde0320125c2814d0
SHA1 8da37a61b259891122c5a51e0f145207163de3a7
SHA256 13487c6d6479b21de9e3e1daa51761ba995384fe58293b2af69283c124978a4f
SHA512 3d7aeb5f725c8de8b2a1e0a810c7a7279823c84166048cff6ae4cf056d432aebae0e648a2f162c53deb48211c06ce377737bfd192cb4b7c5213c9c4682e097aa

memory/624-26-0x0000000020000000-0x0000000020027000-memory.dmp

memory/4980-28-0x00000000015E0000-0x00000000015E1000-memory.dmp

C:\Windows\SysWOW64\svchost.exe.txt

MD5 a1b3d9a52c90bdd750bbe642cce77008
SHA1 cbff5b4a9b29a2a02cd430d4596cf925fee19676
SHA256 8d19f38c78cc51e47c4af34e130e78d2bf7000a9219b3541092ac9291e38abfc
SHA512 f134ff3512a8743684de780d47b4f24f3a42d0a20328bf93a242c8d84c0739b72cc952f4137675ddd30f1f732adf7866ce9863768b72a3c9233046e5d40f519a

memory/4980-31-0x0000000020000000-0x0000000020027000-memory.dmp