gh0strat

Sharing

Copy URL

Twitter E-mail

General

Target

malz5.zip
Size

12.1MB
Sample

230327-lpmppscg42
MD5

1468c1908845ef238f7f196809946288
SHA1

62f0bd56b0e1235b99940b34916c19ecfac8e80c
SHA256

438e44aae94e8376d2e36e23212920e936b7517bca24eaf66e9d7d014e21552c
SHA512

83d65df17c88a4cbc64c6fe4d5e064850aeb3cccba2eb5097d3385f4195e1b94a374528e0a6b92f7ad1db2c78bb7fae3c0e563a2a828f5f8ce0459eccd72b496
SSDEEP

196608:NllU8B3ffcP4fQ74RGBP91vnbcMlB4mVgGj/oRPA4CbyrE2C2+QQnr1Gh922bkHy:TtB3HcPEwpBPTvbtVfcq/yzR8Bt2aT8V

Score

10^/10

Malware Config

Targets

- Target
  
  123.exe
- Size
  
  60KB
- MD5
  
  07b3c7c475a0204f34408d806a4d0883
- SHA1
  
  72da95ef18d46b5ff6f75c90da29d294e8e755cf
- SHA256
  
  457bf2d5752e50d343a655993e9f308a616f4123c5fbebbc369f12c49bd502b6
- SHA512
  
  4c57ce6ee744227219cdfdea5e67efe605c62d7ae99233a9b886bdf0144c70f0317be3ba5dd01c097284c3c86e7005165b9d74ef43fcf28d8d5fd34717c0f1c2
- SSDEEP
  
  768:5blRLS2f/IbhNGgkqUpbj3Pl4SSbUtkokv9N:bBSI/UGg6P326tkokf
Score

1^/10
behavioral1 behavioral2
- Target
  
  360sb.exe
- Size
  
  74KB
- MD5
  
  ff3638137bdb13438ae78bdb295fb74d
- SHA1
  
  d1ff58701713d307430fd061592ecea3c1cf4e6b
- SHA256
  
  61e5303a9e3c3f0b5c70749c4ea2d619f3b5bae341189eaff28393f337113fca
- SHA512
  
  dc87de3bb1689bea6409c33b2af420f8274d4c36862dfe79b98b2195c72057e76a0222aa3c61a144e6927a0bbe5a3a95afe4df430a342f35ba1c7d5c6fda339f
- SSDEEP
  
  1536:aunpULRX92uqnsRDwdQW3YBlCOCbZawM:aunyLR0z3QOal/CbowM
Score

10^/10

gh0strat rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  7000.32
- Size
  
  272KB
- MD5
  
  1a2ca76f4c05df6ff90be02108f36759
- SHA1
  
  518ceab47c71ea46625e64d1e342476dfee85985
- SHA256
  
  5647a07dde1da4334e6a311519ee08ea1ac2fb6ff0841e81a2bd6053b6b59062
- SHA512
  
  6340ca6862b4e22660748110da46227be889d7718242dcf0f9df9ecdce9bef5b9ff66b5bef0437813a73355ca1344408dd92c703ace821036578921f1c06c2e8
- SSDEEP
  
  6144:+1FJI4kHXz3ghDymssoxTAbDcG3kj9M5apyFMMX:+1/0Gu7saocG0j9M5kMX
Score

1^/10
behavioral5
- Target
  
  7000.64
- Size
  
  710KB
- MD5
  
  d80e1546a194e42f049b1a15287aa4d6
- SHA1
  
  980f2d902a250cd3298e2acf45bfbc31044cd8f5
- SHA256
  
  7bce4673ac5b7db9bd5d27076c770925c181745b784f806024413a3b5552eebf
- SHA512
  
  24501f6bb75078ebdb51999ed32ec1cea6ad57fe27dd48e12066de65dacf8570d0f875c79b9734f844f60042ad8c806d8293f9a92ee15d59fd9b68a50eec8a49
- SSDEEP
  
  12288:ZIlddxPHCo90S9LTXIXs5im4MkQbSJDTdx4Is//O1ScnBM:ZI/dLTXIXw4jQb+Tffs//gScS
Score

7^/10

persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
- Reads CPU attributes
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Enumerates kernel/hardware configuration
  Reads contents of /sys virtual filesystem to enumerate system information.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral6
- Target
  
  Linux577
- Size
  
  474KB
- MD5
  
  9e96170c07c1566ac0d9d7b93e7928d1
- SHA1
  
  f762afafa8bf6b694bdc0bf00d8b4caa38d96ddc
- SHA256
  
  825cbeae503c8d9f4ff8a55d14042e83db220f4ed428e57b57fc48335d09f359
- SHA512
  
  e042b528351ad9f32fe37d60bc2b45bb7b7b2cc60c59a10e8eee00a4417c53afa55803f0e9e1196aad912f0b881cfe627dad38802181a0d447b80985344cbd55
- SSDEEP
  
  12288:Cd3IH4kbsBnbOXzFOS4NhgvMfA5z5m9NO554UA+:Cd4H4/OCI16O55h
Score

8^/10

persistence
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral7
- Target
  
  Mh.exe
- Size
  
  410KB
- MD5
  
  6b6fa473cd53b3b1d20fb7d0d7d94dd2
- SHA1
  
  ac8682258ec2a9556c5b06dac4b70aa7f408146b
- SHA256
  
  e4a5f740683ce26d8312c336e1a2d50aa5b56efe61fc793ff3f9dc08af2da30d
- SHA512
  
  59a132a04c621aad34c2130895e1c33f8a988a1d400b91ab712c4058ab6fefda698d01f395dd88f15cc8382f6826eee6550296b00981581a5b8abb10682fe9b0
- SSDEEP
  
  6144:66a0cy+o0eBYJw2acFyuItrcF7Faf3DROwunbNvTr:7XP0pJvacFyuItgZiTROwuxvTr
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral8 behavioral9
- Target
  
  Mh1.exe
- Size
  
  410KB
- MD5
  
  0c80a0ef434aaecd6b1c888567935b97
- SHA1
  
  ad6730df896f7bb0e4379b8ac543c704f70f8292
- SHA256
  
  bb7850028720aace62daf55e8ba0bcf0b1040ebe20f3035873e9fd7130ced767
- SHA512
  
  7a8b601b6d027c0f017a620aa117c7183c05170aa6f90c4a2a177ad82b938f00b181007d69eea128b4ee738b2397a2448e2a33801daa102bfdf2b39f1917e6de
- SSDEEP
  
  6144:4ta0cy+o0ecIJw2qDukfgpFyuItrcF7Faf3DROwunbNvTr:eXP0yJvqDlQFyuItgZiTROwuxvTr
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral11
- Target
  
  Mh2.exe
- Size
  
  410KB
- MD5
  
  c4fdfaf0caa9f98856f2135407025b7a
- SHA1
  
  0614d4a3db2045374c8308b84ad6864dd6db5869
- SHA256
  
  c08823a1d6ddb98b4ffd6488e8fb282c371ba4c30336770ddea7be50a33d4229
- SHA512
  
  903221846dc5498649af5a167ad1477d93007ce344c7de2399c3dd2489def93348637e08f6e03398e7f247b249b04e705b45f7123573fbf00f4b062b6899294a
- SSDEEP
  
  6144:SKa0cy+o0e3IJw2KpiBo+R9/21TkeVQVqOAh2/qIqUk3oGvNo:zXP0/JvKp+hN1bVqFh2rJYo
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral12 behavioral13
- Target
  
  SETUP.exe
- Size
  
  193KB
- MD5
  
  920a14447a82c7b020501af6fe8c88d3
- SHA1
  
  bf3201d891dd6afc2a787dae1eae6e396af72c33
- SHA256
  
  0c273dfdf2af911e189997b04a9b76c48fcfe14fc07ae0fbf639618d2887cf7d
- SHA512
  
  bc365b6d5e961a06167e325a1193aea0239f56791dedbd13fb6d8c4d18736c5912eaf84683c5750f736017a95b09de2082a74f813a8a045f1d13eab546f0327a
- SSDEEP
  
  6144:mN2g1pIizw29kUhIOkk/DkzgsuIPDkzuJLie:mA+pL80/ozhvvie
Score

1^/10
behavioral14 behavioral15
- Target
  
  TX98
- Size
  
  83KB
- MD5
  
  5ba66307564858dfaaf671c78e11f37d
- SHA1
  
  45fb2fbd1eb2d53a0c71c2d5fb0397711df99e54
- SHA256
  
  0468b78c9eef6bde2367717d38347af54fce3df871382789cfb3780fc2731543
- SHA512
  
  e7edabc9060768d875f7dcc98fdb4552a8311d0c1ad408a70e7f67c7c6b0d15a1ea4e002fe92dc52f0379417f941169683e3922b788783769eef0b8310bf4051
- SSDEEP
  
  1536:lCudpNeZUCBis65ifKnVsrTvC/LMpDLul4b2bQHb3S+aHAdnwU:oyIUAi/5/yCTkDNqE7i+qAB1
Score

1^/10
behavioral16
- Target
  
  TX981
- Size
  
  4.9MB
- MD5
  
  0874f1d99a37f34bb154013bc827bc3f
- SHA1
  
  ebb072a3c4ed3722f4649d490593d3c1e7dacd88
- SHA256
  
  da1dc452102758781c6a5a9f48c650e8efa745cbaab050f30c14e7b558946efd
- SHA512
  
  9552292a2d588969fd9a035a1946ccbb0f4c4ae806ed8faacb98f52e2f9f1395e9c65f2976751f393a46fbee5184316b072bae3517d915fa0bf5fea72b12a722
- SSDEEP
  
  24576:OjTY+ufmnFLLk53fRlLpipTBwLPwlrc4v6nka:OjTY+ukvkZfRlLgpTBwLPwljCn/
Score

1^/10
behavioral17
- Target
  
  TX982
- Size
  
  1.8MB
- MD5
  
  bba8b35378fe7872ab2b5026f12b5e72
- SHA1
  
  17d52f40b6cd116e81685beb91bd0b14dd9114f2
- SHA256
  
  97192a841a178aed607674f7bf457cf53ce025571fd47da842d3ffd0ecf4d4f5
- SHA512
  
  d97a98093e55de5c3eca87a8e17fa8d13e1240aae3ef4634674e5f66a4f5eee91a27d2f6491e45e474f75a1e9740c31ecf94cfef3de5095fee418e37e15431ee
- SSDEEP
  
  49152:bNihhOhBNhKhyu7cYx9z2rAnKsfROaFyZB5Ss5+Nu:5ihhOhBNhKhRwwJ2roMaFyZB5Ss5+Nu
Score

7^/10

persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral18
- Target
  
  TX984
- Size
  
  977KB
- MD5
  
  fdd1c9ad7f04868d4bed04f8708bec5d
- SHA1
  
  bc49a05e5a38ca2a9b0e0ef99819a8ff833b378f
- SHA256
  
  8b5355748604150f8ce643305878c0d35e33a59bdcd25de9861497557b972359
- SHA512
  
  3436b51881e997d38c271224f868aad2b5d11fa262c986c12ec75c70f3667742673f99386f7052df2d036ce2dc5efbd0fd5d51049dcb0589a7f13fadff81c205
- SSDEEP
  
  12288:erXiRPpwBSHJB2A6f13P5D79dmuxlNzJs4dm3yxiD1WjfGAIFDFvyq766Pd4YTQ0:jvwlP5DJdrRJsskWU5RPd82ByWwK3R
Score

7^/10

persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Reads CPU attributes
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral19
- Target
  
  TX985
- Size
  
  1.1MB
- MD5
  
  5ab68ecc6f6262c76fc1875972a508dd
- SHA1
  
  dac088cc4ef5377efcf81a325c8516e71a792672
- SHA256
  
  aff22363942228229a1b40a4581f5e0593714d553ed5f2ea7aae15612b28142f
- SHA512
  
  e0837b8ec1632bc3493d79236dba2bca402f1d77e5ad9814c5df6f8b59115f69b71189a8d345df0ad32ed01e78ac3d151741643669ddc23595d9f74b7b7731d3
- SSDEEP
  
  12288:v0gZjw/mGyri7g8Nyllxm+KYCy1aPrfWf47b/d+qdeaQklaHhmM7tL+GSPlXJZru:VETLPAFHcMJ6l5ZZVt6Ai3YKhAxtK
Score

7^/10

persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Reads CPU attributes
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral20
- Target
  
  TX986
- Size
  
  1.1MB
- MD5
  
  8adfc3cc5e225440684e74b7f7994933
- SHA1
  
  fbc72c5bc436a7565d994886e238b80731e373b8
- SHA256
  
  746fd8e299a5542658c051d08765f327f3c3e48248698a29cf57f151a282b157
- SHA512
  
  e9dda159470640c11a6832f8d6be355d90b32c9c1fa7b938b47fc37fdeb459ccb17a8edeed8e0c065f107c7b04eed4b8dea5290543564a7732d3ae8c4c57acfa
- SSDEEP
  
  24576:qsFkPsgRseqq7s7L23vHkF/CZ5lfwNjcpzdmMqMSjG2oedCp/mpyS1tFhextK:leLsL23vEF/CZ5lfwNjcpzdmMqMSjG2F
Score

7^/10

persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Reads CPU attributes
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
behavioral21
- Target
  
  bjyk.exe
- Size
  
  377KB
- MD5
  
  ca7c977b5b315dd62b0189f2619764db
- SHA1
  
  42ce52b22e5017990660148ba6c5ff0097c5af01
- SHA256
  
  c6d90ced12fb16ca9ae112787ce6d29379b06e0ba0a90595e337c07453a571fa
- SHA512
  
  b7be48e4c7ca12e0059a6b0064eaa8e8c1f4bbd7ed62c2a34671a5875ba25715b45b780d54e58f5429b2cade56244f6a820a46c0a45b0f7e9d4567213a499427
- SSDEEP
  
  6144:xsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90Q1vPjrVCTH3mwVaYo7/8FaA/:OtWUzJq8YPbncT3+vXPjc3xVaYo7UFyO
Score

10^/10

gh0strat bootkit persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral22 behavioral23
- Target
  
  ceshi.exe
- Size
  
  303KB
- MD5
  
  3ddd0fe1b5a21d08007805185072bdd0
- SHA1
  
  174d3667b9f266b139f5892c961e7609a6134d79
- SHA256
  
  42676dd65d1dbd81f8f8e751790b4412c5a179feb7edb5460cf230463f141299
- SHA512
  
  2b633d6be693f46ac07e17c43a7389655e7e7e0ded027e9a82ca120139e0e44c68d1f76b32e34501bb9d4d3dcc9d44997c2803999b9aa1f2fec8f531464fdd9f
- SSDEEP
  
  6144:rt8nMnJqNMFSTLeYVvI8vw+Ie51BMz3VolJXUVLAW5w7wIAsKCEc4YgUFk6Oa7HS:doNMsy8I6KFojXUaWQ5KCqOvOaJt+
Score

10^/10

gh0strat persistence rat evasion
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Modifies firewall policy service
  evasion
- Sets DLL path for service in the registry
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
behavioral24 behavioral25
- Target
  
  ddos.exe
- Size
  
  38KB
- MD5
  
  d68ab23225bf1388a7a16963356a87b6
- SHA1
  
  09ca273cdecf55b67eb20ced2e11a64b52058044
- SHA256
  
  3e20b4ca4fea293b596c23328a06207c301d135774e461ff5c5e7b84784ffd47
- SHA512
  
  ae38756fe73206ec9fdbd4b1c8e57c6e880630385bd5fab2e57ec3f61eea4f3a7d9aa58c8f593eb68d8a6c5df116e24a19f7bdc771d7d97eec7f7cb602d9f234
- SSDEEP
  
  768:mACSpftPzWIYHqfwyk0vsYRG3IUlcV0njosBRtmwOZO4KaAtGB9wMCC:mXSLiIask0vzA3IUlcVIjLB9nMD
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral26 behavioral27
- Target
  
  dhl.exe
- Size
  
  311KB
- MD5
  
  1170aaabfc50ba1d8afd2bdd3fde5e33
- SHA1
  
  a345658edc7df429c515bc949d45661c7446136d
- SHA256
  
  022600b997847cb9795b58cbef8b1058760d3037158f1d8890825f20e3f8745e
- SHA512
  
  333c8e2af8f7b845abd897cd7d86ab68545ef2bddfda6f24216aa7fffeb39594756a666500fa3495205505bb485e4659c9e66f3c639d34bc12cf929b00950ea6
- SSDEEP
  
  6144:eKYOSlWhmtC3G/414qs8Pz5Trd8Coc1O9gRyBDqP6K0Q0wKnL:e1/WYtwG24Qp+oOGROrK0W0L
Score

10^/10

upx evasion
- Modifies firewall policy service
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral28 behavioral29
- Target
  
  mh3.exe
- Size
  
  361KB
- MD5
  
  e48e887d5308de6e88b0edbcf0c05664
- SHA1
  
  b78c4d499717346c6da33f9d2a884aaaee74ebcc
- SHA256
  
  e18bc151f005b441f6003b4fc096583c8e4f312bc6439ecffc91b190d73171a2
- SHA512
  
  5068add9bf1681ffb27c9e4867f80fe4ee484a3260b12c501988caaed1ce0876e295e1809b81c47bf2be4994d2e10728b12f84a3e84a212718a0fbc816cb68f7
- SSDEEP
  
  6144:VLTG0GxC/dijE8O1udvvFsueJ+kXpJdkDStVvXGxcS985NRW1W:VfG7ggEN2Vsum+2pJ2YvXGKHW1W
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Loads dropped DLL
behavioral30 behavioral31
- Target
  
  server.exe
- Size
  
  333KB
- MD5
  
  44283b85db8476e3dbcab39e644a76bb
- SHA1
  
  afed9e102d07782074a63b8f5fae6ac0ee96ec1f
- SHA256
  
  5e213f963cb6c381a34388e9d66456cc044c395d4921440acb9d80a9625803b2
- SHA512
  
  a5f5dd9ac7116971c65ad376d31b463d0b44b6cced3db08593030eb8ccd64e1fefa1f2c0531004dc347407c2f4f8090bab860e6485f91c3a31eb49b44df78bdf
- SSDEEP
  
  6144:EgiFIfdAcDJiMm02wKURWl3I+q4NqBqAG:ri2dTDJiMmRvUROI+q4UBqAG
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Modify Existing Service

T1031

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

T1568

Impact

Tasks

Sharing

General

Malware Config

Targets

Gh0st RAT payload

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Modifies init.d

Write file to user bin folder

Reads CPU attributes

Reads system network configuration

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

Writes DNS configuration

Creates/modifies Cron job

Modifies init.d

Modifies rc script

Write file to user bin folder

Reads runtime system information

Writes file to tmp directory

Modifies firewall policy service

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Modifies firewall policy service

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Enumerates connected drives

Modifies firewall policy service

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Enumerates connected drives

Modifies init.d

Modifies rc script

Reads runtime system information

Modifies init.d

Modifies rc script

Reads CPU attributes

Reads system network configuration

Reads runtime system information

Modifies init.d

Modifies rc script

Reads CPU attributes

Reads system network configuration

Reads runtime system information

Modifies init.d

Modifies rc script

Reads CPU attributes

Reads system network configuration

Reads runtime system information

Gh0st RAT payload

Gh0strat

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Gh0st RAT payload

Gh0strat

Modifies firewall policy service

Sets DLL path for service in the registry

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Modifies firewall policy service

Enumerates connected drives

Modifies firewall policy service

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Drops file in System32 directory