Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2023 09:15
Static task
static1
Behavioral task
behavioral1
Sample
gh0strat.exe
Resource
win7-20230220-en
General
-
Target
gh0strat.exe
-
Size
396KB
-
MD5
4a3044c9ac651ba36a5735162ecc2ca6
-
SHA1
b45a2af26780f047fd918c3b1bb089f3f4478212
-
SHA256
147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
-
SHA512
daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
SSDEEP
12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2at:s9Dbg6lV9C2JOBUIc12at
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1872-135-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/1872-136-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/4536-143-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/4536-144-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/4388-148-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/4388-149-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/4388-150-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1872-135-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/1872-136-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/4536-143-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/4536-144-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/4388-148-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/4388-149-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/4388-150-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
Processes:
Jbrja.exeJbrja.exepid process 4536 Jbrja.exe 4388 Jbrja.exe -
Processes:
resource yara_rule behavioral2/memory/1872-133-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/1872-135-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/1872-136-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/4536-141-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/4536-143-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/4536-144-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/4388-148-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/4388-149-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/4388-150-0x0000000010000000-0x00000000101B9000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Jbrja.exedescription ioc process File opened (read-only) \??\L: Jbrja.exe File opened (read-only) \??\N: Jbrja.exe File opened (read-only) \??\P: Jbrja.exe File opened (read-only) \??\Q: Jbrja.exe File opened (read-only) \??\S: Jbrja.exe File opened (read-only) \??\T: Jbrja.exe File opened (read-only) \??\I: Jbrja.exe File opened (read-only) \??\J: Jbrja.exe File opened (read-only) \??\U: Jbrja.exe File opened (read-only) \??\F: Jbrja.exe File opened (read-only) \??\K: Jbrja.exe File opened (read-only) \??\O: Jbrja.exe File opened (read-only) \??\W: Jbrja.exe File opened (read-only) \??\H: Jbrja.exe File opened (read-only) \??\E: Jbrja.exe File opened (read-only) \??\G: Jbrja.exe File opened (read-only) \??\M: Jbrja.exe File opened (read-only) \??\R: Jbrja.exe File opened (read-only) \??\V: Jbrja.exe File opened (read-only) \??\X: Jbrja.exe File opened (read-only) \??\Y: Jbrja.exe File opened (read-only) \??\B: Jbrja.exe File opened (read-only) \??\Z: Jbrja.exe -
Drops file in System32 directory 2 IoCs
Processes:
gh0strat.exedescription ioc process File created C:\Windows\SysWOW64\Jbrja.exe gh0strat.exe File opened for modification C:\Windows\SysWOW64\Jbrja.exe gh0strat.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Jbrja.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jbrja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jbrja.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Jbrja.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Jbrja.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Jbrja.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Jbrja.exepid process 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe 4388 Jbrja.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gh0strat.exedescription pid process Token: SeIncBasePriorityPrivilege 1872 gh0strat.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
gh0strat.exeJbrja.execmd.exedescription pid process target process PID 1872 wrote to memory of 4796 1872 gh0strat.exe cmd.exe PID 1872 wrote to memory of 4796 1872 gh0strat.exe cmd.exe PID 1872 wrote to memory of 4796 1872 gh0strat.exe cmd.exe PID 4536 wrote to memory of 4388 4536 Jbrja.exe Jbrja.exe PID 4536 wrote to memory of 4388 4536 Jbrja.exe Jbrja.exe PID 4536 wrote to memory of 4388 4536 Jbrja.exe Jbrja.exe PID 4796 wrote to memory of 2676 4796 cmd.exe PING.EXE PID 4796 wrote to memory of 2676 4796 cmd.exe PING.EXE PID 4796 wrote to memory of 2676 4796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\gh0strat.exe"C:\Users\Admin\AppData\Local\Temp\gh0strat.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\gh0strat.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Jbrja.exeFilesize
396KB
MD54a3044c9ac651ba36a5735162ecc2ca6
SHA1b45a2af26780f047fd918c3b1bb089f3f4478212
SHA256147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
SHA512daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
C:\Windows\SysWOW64\Jbrja.exeFilesize
396KB
MD54a3044c9ac651ba36a5735162ecc2ca6
SHA1b45a2af26780f047fd918c3b1bb089f3f4478212
SHA256147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
SHA512daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
C:\Windows\SysWOW64\Jbrja.exeFilesize
396KB
MD54a3044c9ac651ba36a5735162ecc2ca6
SHA1b45a2af26780f047fd918c3b1bb089f3f4478212
SHA256147b3fad1138c98d0ea5b781577f03dd7cf80b541bfc111c95760a26b80a003e
SHA512daa2b6734fae52ba5d3fec155dca05f464b1573193a2ebc746b798f669bc7b1b11c5637a6df555dd468e7a669194e14651419a436879e296366488393b9dfc57
-
memory/1872-133-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1872-135-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1872-136-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/4388-148-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/4388-149-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/4388-150-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/4536-141-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/4536-143-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/4536-144-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB