gh0strat | 93e486554efa71e0da46388de32bc0be4c41948b18b4590990944bbc5344f868 | Triage

Analysis

max time kernel
132s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 22:47 UTC

Sharing

Report Analysis Logs

General

Target

e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe
Size

193KB
MD5

e89a03e73f12ec65040118c69b721c59
SHA1

980308df2d39e456c817215abcc335c9cf9333a4
SHA256

93e486554efa71e0da46388de32bc0be4c41948b18b4590990944bbc5344f868
SHA512

daa81389d1f8be7f1dec2b345f3b2ff764bcc83ab817d72754f990253537fb7437d463b0be39d5b5fc15134a510a651df7bc8b23df13c1af45c79df40d800b1b
SSDEEP

3072:ALk395hYXJkjSUxWpWdlP926IYWls7QddsouZnpyM8HERlJciF2zM1DDF6Q:AQqqjSlpWdlPgkQgoBERciFj1HF6Q

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000130fc-18.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2152	201151922243.exe
2996	2011519222254.exe

Loads dropped DLL 9 IoCs

pid	Process
1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe
2152	201151922243.exe
2152	201151922243.exe
2152	201151922243.exe
2152	201151922243.exe
2152	201151922243.exe
2996	2011519222254.exe
2996	2011519222254.exe
2996	2011519222254.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe"	2011519222254.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\Ball.exe	2011519222254.exe
File opened for modification	C:\WINDOWS\Ball.exe	2011519222254.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012246-2.dat	nsis_installer_1
behavioral1/files/0x000c000000012246-2.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2996	2011519222254.exe
2996	2011519222254.exe
2996	2011519222254.exe
2996	2011519222254.exe
2996	2011519222254.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	2011519222254.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 1348 wrote to memory of 2152	1348	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29
PID 2152 wrote to memory of 2996	2152	201151922243.exe	29

C:\Users\Admin\AppData\Local\Temp\e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\temp\201151922243.exe
  "C:\Windows\temp\201151922243.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\temp\2011519222254.exe
    "C:\Windows\temp\2011519222254.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

Network

DNS

scfyang.3322.org

2011519222254.exe

Remote address:

8.8.8.8:53

Request

scfyang.3322.org

IN A

Response

No results found

8.8.8.8:53

scfyang.3322.org

dns

2011519222254.exe

62 B
126 B
1
1

DNS Request

scfyang.3322.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\2011519222254.exe

Filesize
308KB

MD5
a8247344600b8cdf4f8debe3c8493ba8

SHA1
bbc3ac5475dcdb16c4f38a180dbefb8dcefce4d0

SHA256
639cbbed21a4c8cbf9d63ef3952fdc0078a816e4703b2c91557dce082d7d0063

SHA512
cfa753ae805fd21db0fd1fea23f65b59173c589c77ea5fd73a9471647751c82d3d6d3d08f2a92a056a3e13f13fc93e8e9eb88fb5dd79d008232a27badfa994dd

Download Submit
\Windows\Temp\201151922243.exe

Filesize
25.1MB

MD5
2f30d031eceaa35e41d78363747f9182

SHA1
c5d467e10167330cdc5c4d859a81ffdd0c1ac101

SHA256
52ab1dfca531c1b409af062478f1926d86fec266fe1c90a61c70676633cef8a5

SHA512
b4729afc5910f8b37ef0b5a2591b52b13da5fd0d259ef8f5af1e798f71c9630d9b004dca8301b5d7a820d516d86ddc198ae52eb43a22edc1a73a1a830bd9c71d

Download Submit