gh0strat | 93e486554efa71e0da46388de32bc0be4c41948b18b4590990944bbc5344f868

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe
Size

193KB
MD5

e89a03e73f12ec65040118c69b721c59
SHA1

980308df2d39e456c817215abcc335c9cf9333a4
SHA256

93e486554efa71e0da46388de32bc0be4c41948b18b4590990944bbc5344f868
SHA512

daa81389d1f8be7f1dec2b345f3b2ff764bcc83ab817d72754f990253537fb7437d463b0be39d5b5fc15134a510a651df7bc8b23df13c1af45c79df40d800b1b
SSDEEP

3072:ALk395hYXJkjSUxWpWdlP926IYWls7QddsouZnpyM8HERlJciF2zM1DDF6Q:AQqqjSlpWdlPgkQgoBERciFj1HF6Q

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022898-12.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	201151922243.exe

Executes dropped EXE 2 IoCs

pid	Process
216	201151922243.exe
4676	2011519222254.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe"	2011519222254.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\Ball.exe	2011519222254.exe
File opened for modification	C:\WINDOWS\Ball.exe	2011519222254.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023221-4.dat	nsis_installer_1
behavioral2/files/0x0008000000023221-4.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe
4676	2011519222254.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	2011519222254.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 216	1080	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	88
PID 1080 wrote to memory of 216	1080	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	88
PID 1080 wrote to memory of 216	1080	e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe	88
PID 216 wrote to memory of 4676	216	201151922243.exe	90
PID 216 wrote to memory of 4676	216	201151922243.exe	90
PID 216 wrote to memory of 4676	216	201151922243.exe	90

C:\Users\Admin\AppData\Local\Temp\e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89a03e73f12ec65040118c69b721c59_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\temp\201151922243.exe
  "C:\Windows\temp\201151922243.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\temp\2011519222254.exe
    "C:\Windows\temp\2011519222254.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\2011519222254.exe

Filesize
308KB

MD5
a8247344600b8cdf4f8debe3c8493ba8

SHA1
bbc3ac5475dcdb16c4f38a180dbefb8dcefce4d0

SHA256
639cbbed21a4c8cbf9d63ef3952fdc0078a816e4703b2c91557dce082d7d0063

SHA512
cfa753ae805fd21db0fd1fea23f65b59173c589c77ea5fd73a9471647751c82d3d6d3d08f2a92a056a3e13f13fc93e8e9eb88fb5dd79d008232a27badfa994dd

Download Submit
C:\Windows\Temp\201151922243.exe

Filesize
25.1MB

MD5
2f30d031eceaa35e41d78363747f9182

SHA1
c5d467e10167330cdc5c4d859a81ffdd0c1ac101

SHA256
52ab1dfca531c1b409af062478f1926d86fec266fe1c90a61c70676633cef8a5

SHA512
b4729afc5910f8b37ef0b5a2591b52b13da5fd0d259ef8f5af1e798f71c9630d9b004dca8301b5d7a820d516d86ddc198ae52eb43a22edc1a73a1a830bd9c71d

Download Submit