Malware Analysis Report

2024-12-07 13:05

Sample ID 241109-g5pf1szbmm
Target 934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82
SHA256 934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82
Tags
gh0strat purplefox discovery persistence rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82

Threat Level: Known bad

The file 934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox discovery persistence rat rootkit trojan

Gh0strat

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat family

Purplefox family

PurpleFox

Drops file in Drivers directory

Sets service image path in registry

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:23

Reported

2024-11-09 06:26

Platform

win7-20241010-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Program Files (x86)\Google\Skcsk.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Program Files (x86)\Google\Skcsk.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A
File opened for modification C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Skcsk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Skcsk.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2452 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 2456 wrote to memory of 2452 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 2456 wrote to memory of 2452 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 2456 wrote to memory of 2452 N/A C:\Program Files (x86)\Google\Skcsk.exe C:\Program Files (x86)\Google\Skcsk.exe
PID 1148 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1148 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1148 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1148 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe

"C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe"

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\934234~1.EXE > nul

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp

Files

memory/2420-0-0x0000000010000000-0x000000001019F000-memory.dmp

C:\Program Files (x86)\Google\Skcsk.exe

MD5 e0c915507befa8295c381d618b0463cf
SHA1 de67e5e8cbf16c0cb2088774fa0cf1d797eaa0e9
SHA256 934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82
SHA512 799081469c2c50574408065828183d27ea7081298c490bf5246314f8924dac7487b84396ce1113e4df64a04346650cc76ffa6a14ae3483f30dca98daab2a969a

memory/2452-19-0x0000000010000000-0x000000001019F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 06:23

Reported

2024-11-09 06:26

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Program Files (x86)\Google\Skcsk.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Program Files (x86)\Google\Skcsk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A
File opened for modification C:\Program Files (x86)\Google\Skcsk.exe C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Skcsk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Google\Skcsk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: 33 N/A C:\Program Files (x86)\Google\Skcsk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Google\Skcsk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe

"C:\Users\Admin\AppData\Local\Temp\934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82.exe"

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\934234~1.EXE > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Google\Skcsk.exe

"C:\Program Files (x86)\Google\Skcsk.exe" -acsi

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 8.141.9.141:7771 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CN 8.141.9.141:7771 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
CN 8.141.9.141:7771 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 8.141.9.141:7771 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp
CN 8.141.9.141:7771 tcp

Files

memory/1540-0-0x0000000010000000-0x000000001019F000-memory.dmp

C:\Program Files (x86)\Google\Skcsk.exe

MD5 e0c915507befa8295c381d618b0463cf
SHA1 de67e5e8cbf16c0cb2088774fa0cf1d797eaa0e9
SHA256 934234837baca6ce8c4c81bf09ac1a312cb73be285693b8e6bcdc69a57bb0f82
SHA512 799081469c2c50574408065828183d27ea7081298c490bf5246314f8924dac7487b84396ce1113e4df64a04346650cc76ffa6a14ae3483f30dca98daab2a969a

memory/68-10-0x0000000010000000-0x000000001019F000-memory.dmp

memory/4208-17-0x0000000010000000-0x000000001019F000-memory.dmp