gh0strat | 244a9c5318e98599c60f3dacbff48f4f0a898ccda29ad8a6a8625e3cfe0dbc22 | Triage

Analysis

max time kernel
44s
max time network
141s
platform
windows7_x64
resource
win7-20220414-en
submitted
27/04/2022, 01:17 UTC

Sharing

Report Analysis Logs

General

Target

244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe
Size

184KB
MD5

0a56a968a7f1c3d265acf38740a93d38
SHA1

bf17dcba21603a6681f0f9bbec81d356e33d9029
SHA256

244a9c5318e98599c60f3dacbff48f4f0a898ccda29ad8a6a8625e3cfe0dbc22
SHA512

81d90036885ec7389f146bef660a8553a76179972ddffa5e001f74104165166cf0aad2355db6c80575b26c7b5012aea973470f02913ba128c28e71449f03919f

Score

10^/10

gh0strat bootkit persistence rat suricata

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000008527-55.dat	family_gh0strat
behavioral1/files/0x0009000000008527-56.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
suricata
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
suricata
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
1724	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll	244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1680	244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe
Token: SeBackupPrivilege	1724	svchost.exe
Token: SeSecurityPrivilege	1724	svchost.exe

C:\Users\Admin\AppData\Local\Temp\244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe
"C:\Users\Admin\AppData\Local\Temp\244A9C5318E98599C60F3DACBFF48F4F0A898CCDA29AD.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

DNS

chaofeng1.f3322.org

netsvcs

Remote address:

8.8.8.8:53

Request

chaofeng1.f3322.org

IN A

Response

chaofeng1.f3322.org

IN A

171.38.77.97

171.38.77.97:42419

chaofeng1.f3322.org

netsvcs

152 B
120 B
3
3
171.38.77.97:42420

chaofeng1.f3322.org

netsvcs

152 B
120 B
3
3
171.38.77.97:42421

chaofeng1.f3322.org

netsvcs

1.1kB
458 B
11
9

8.8.8.8:53

chaofeng1.f3322.org

dns

netsvcs

65 B
81 B
1
1

DNS Request

chaofeng1.f3322.org

DNS Response

171.38.77.97

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
e46805ba07872d3ce3153e942e625865

SHA1
00fa01edafea33663aea78dec6e87570222d56a2

SHA256
fcfb65748ba59e37e962618a484087b43da6be9d787f9d73b156d5f14ffedbd3

SHA512
44b0eee1c7818cf02ef4da94ea612981ab97a31e3575971bd543b6a61deece62a428eca33e554e311ff599d596117847a422753e3a393c1ae68ddad5850131cf

Download Submit
\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
e46805ba07872d3ce3153e942e625865

SHA1
00fa01edafea33663aea78dec6e87570222d56a2

SHA256
fcfb65748ba59e37e962618a484087b43da6be9d787f9d73b156d5f14ffedbd3

SHA512
44b0eee1c7818cf02ef4da94ea612981ab97a31e3575971bd543b6a61deece62a428eca33e554e311ff599d596117847a422753e3a393c1ae68ddad5850131cf

Download Submit
memory/1680-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download