gh0strat | e16171cfdfd4207352fdd683375cad3473809444e815dda3f23c6b1276ebc38d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f1bbb968bd19abc217e835ce1dcb8e53_JaffaCakes118
Size

117KB
Sample

240415-x1wmjagc3v
MD5

f1bbb968bd19abc217e835ce1dcb8e53
SHA1

28f0065d7c5751a69e96ca96eb4315d4dfc6c961
SHA256

e16171cfdfd4207352fdd683375cad3473809444e815dda3f23c6b1276ebc38d
SHA512

c1276bbd2794fd89ff3d671131755c3f661a6e7c6056582a6e7cb21779be02a3c97e1d1fbcb50efcd09cb15481aff61f8c37907e92c10af66a9868d994b5394e
SSDEEP

3072:6CwvVlRaD/sIG/nKMmtXy4OxwTo13oM/G1j:6CQxagrCLXLUL13oM/G1j

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  f1bbb968bd19abc217e835ce1dcb8e53_JaffaCakes118
- Size
  
  117KB
- MD5
  
  f1bbb968bd19abc217e835ce1dcb8e53
- SHA1
  
  28f0065d7c5751a69e96ca96eb4315d4dfc6c961
- SHA256
  
  e16171cfdfd4207352fdd683375cad3473809444e815dda3f23c6b1276ebc38d
- SHA512
  
  c1276bbd2794fd89ff3d671131755c3f661a6e7c6056582a6e7cb21779be02a3c97e1d1fbcb50efcd09cb15481aff61f8c37907e92c10af66a9868d994b5394e
- SSDEEP
  
  3072:6CwvVlRaD/sIG/nKMmtXy4OxwTo13oM/G1j:6CQxagrCLXLUL13oM/G1j
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat