Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
28-05-2023 09:15
General
-
Target
gh0strat.exe
-
Size
396KB
-
MD5
4a3044c9ac651ba36a5735162ecc2ca6
-
SHA1
b45a2af26780f047fd918c3b1bb089f3f4478212
-
SHA256
147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
-
SHA512
daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
SSDEEP
12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2at:s9Dbg6lV9C2JOBUIc12at
Malware Config
Signatures
-
Detect PurpleFox Rootkit 3 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 6 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\gh0strat.exe"C:\Users\Admin\AppData\Local\Temp\gh0strat.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\gh0strat.exe > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Jbrja.exeFilesize
396KB
MD54a3044c9ac651ba36a5735162ecc2ca6
SHA1b45a2af26780f047fd918c3b1bb089f3f4478212
SHA256147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
SHA512daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
C:\Windows\SysWOW64\Jbrja.exeFilesize
396KB
MD54a3044c9ac651ba36a5735162ecc2ca6
SHA1b45a2af26780f047fd918c3b1bb089f3f4478212
SHA256147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
SHA512daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
\Windows\SysWOW64\Jbrja.exeFilesize
396KB
MD54a3044c9ac651ba36a5735162ecc2ca6
SHA1b45a2af26780f047fd918c3b1bb089f3f4478212
SHA256147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
SHA512daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
memory/824-72-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/912-54-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/912-56-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/912-57-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB