gh0strat | 4bda9530b10c545a742927ba59bad0c91d5eee041182bd00cff1e35d24f65e12

General

Target

f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe
Size

164KB
MD5

f35f6f1d7be07e40d10aabeffb59339e
SHA1

8142fe61189c36ddc185d1e57d2f6c9634ed9117
SHA256

4bda9530b10c545a742927ba59bad0c91d5eee041182bd00cff1e35d24f65e12
SHA512

8fd5b43689166e8e4de0038056fe486c06d06bad624ebd3f54d9cdad1207608e12c04dad0f967dc0f6e3f39d12957a01ab182aa8e5d1c9c90c292df1cad425c6
SSDEEP

3072:9zbOmU/znUc/iP+Ha7HtzKpAKGGKzQwfH2IBKkIbvn9DAi9Mmel7yL3O/+6s6:9zbOmUrnU+imHa7HCczQQH2ISbf90i9M

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000122cd-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xxiaoxiliushui\Parameters\ServiceDll = "C:\\Windows\\system32\\ntf76317cz.dll"	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe
2440	svchost.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntf76317cz.dll	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RCX32B4.tmp	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe
1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2532	1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2532	1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2532	1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2532	1972	f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2588	2440	svchost.exe	31
PID 2440 wrote to memory of 2588	2440	svchost.exe	31
PID 2440 wrote to memory of 2588	2440	svchost.exe	31
PID 2440 wrote to memory of 2588	2440	svchost.exe	31
PID 2440 wrote to memory of 2588	2440	svchost.exe	31
PID 2440 wrote to memory of 2588	2440	svchost.exe	31
PID 2440 wrote to memory of 2588	2440	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\f35f6f1d7be07e40d10aabeffb59339e_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "xxiaoxiliushui"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\ntf76317cz.dll, abcd
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ntf76317cz.dll

Filesize
113KB

MD5
82a581b7dca6aa6e0c3993d5721473a4

SHA1
e6aa5e5c42ac37fd026964aec48690f8de691771

SHA256
ff4be0c2adcbbf830583e9713147b557a105466c2bfe5ca43d70bb246b831040

SHA512
698d0be8bc64769d55629dc53e1d6842d528b40853c41200f1dfd433a7f8d348177326f79364628b5f0fc51ea239a211857f910fad919a09a704c89056f558f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads