gh0strat | 23b4db70467b743aedc28e7491b0ff19f8da25d900d4774ae03a09d00c9d541e

General

Target

f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe
Size

95KB
MD5

f9bc188cea28a58637199adb185016ba
SHA1

5e636a80b59ee7fb8009922f21ca2b43418843e4
SHA256

23b4db70467b743aedc28e7491b0ff19f8da25d900d4774ae03a09d00c9d541e
SHA512

93a4b9b287e5c9f507f2bf53c9bf707538800ff3cf8e10b7608e84814308b62abab46ac8702c0182ec65550f902559bbf0c1615189dbaa3f1c0582f1bac3875d
SSDEEP

1536:vHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prHpGoGydEx:vxS4jHS8q/3nTzePCwNUh4E9HpkqEx

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\xsjln.cc3	family_gh0strat
behavioral2/memory/4752-16-0x0000000000400000-0x000000000044E298-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

nxvsrmxpui

pid process

4752 nxvsrmxpui
Executes dropped EXE 1 IoCs

Processes:

nxvsrmxpui

pid process

4752 nxvsrmxpui
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

3824 svchost.exe
3620 svchost.exe
1992 svchost.exe

pid	process
4752	nxvsrmxpui

pid	process
4752	nxvsrmxpui

pid	process
3824	svchost.exe
3620	svchost.exe
1992	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dwjtldeifl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\dwjtldeifl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\efxmsghgrg	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2336 3824 WerFault.exe svchost.exe
1508 3620 WerFault.exe svchost.exe
2940 1992 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

nxvsrmxpui

pid process

4752 nxvsrmxpui
4752 nxvsrmxpui

pid	pid_target	process	target process
2336	3824	WerFault.exe	svchost.exe
1508	3620	WerFault.exe	svchost.exe
2940	1992	WerFault.exe	svchost.exe

pid	process
4752	nxvsrmxpui
4752	nxvsrmxpui

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

nxvsrmxpuisvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	4752	nxvsrmxpui
Token: SeBackupPrivilege	4752	nxvsrmxpui
Token: SeBackupPrivilege	4752	nxvsrmxpui
Token: SeRestorePrivilege	4752	nxvsrmxpui
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeRestorePrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeSecurityPrivilege	3824	svchost.exe
Token: SeSecurityPrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeSecurityPrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeSecurityPrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3824	svchost.exe
Token: SeRestorePrivilege	3824	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeRestorePrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeSecurityPrivilege	3620	svchost.exe
Token: SeSecurityPrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeSecurityPrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeSecurityPrivilege	3620	svchost.exe
Token: SeBackupPrivilege	3620	svchost.exe
Token: SeRestorePrivilege	3620	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeRestorePrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeSecurityPrivilege	1992	svchost.exe
Token: SeSecurityPrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeSecurityPrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeSecurityPrivilege	1992	svchost.exe
Token: SeBackupPrivilege	1992	svchost.exe
Token: SeRestorePrivilege	1992	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe

description	pid	process	target process
PID 4948 wrote to memory of 4752	4948	f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe	nxvsrmxpui
PID 4948 wrote to memory of 4752	4948	f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe	nxvsrmxpui
PID 4948 wrote to memory of 4752	4948	f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe	nxvsrmxpui

C:\Users\Admin\AppData\Local\Temp\f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948

\??\c:\users\admin\appdata\local\nxvsrmxpui
"C:\Users\Admin\AppData\Local\Temp\f9bc188cea28a58637199adb185016ba_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\f9bc188cea28a58637199adb185016ba_jaffacakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 872
2⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3824 -ip 3824
1⤵
PID:3116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1048
2⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3620 -ip 3620
1⤵
PID:4532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1116
2⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1992 -ip 1992
1⤵
PID:4440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nxvsrmxpui

Filesize
20.8MB

MD5
8769a813ddc695963895f821089a4ced

SHA1
629bfa52574764d75cb8edfaae2b90090a0e3b8c

SHA256
07e922a22f333dab662ee168ea2d42458d5c4cadc0b961cacb387ec6cf38bccf

SHA512
170058baebc6fc0efd291a417cb70ab9b75b8172c7278f704c6f4f824346b718e45d65dffcea4ecfd260525afc980ac85f9d92c6324a2cf1c56a4c56d5becaa1

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
5cca7bb7016faa6f7ec5923eaf4c6f95

SHA1
e5152bf06900a944737bf182df2c82fd1bcb6877

SHA256
136d816d3417993a1e7f06510a2f0087ab5e736eaf7a893b8991949c7f7927ae

SHA512
a3e426cfda4af67b4893047c848675bf283358a951b09f4e3483870f1c1feebc21eac6f8268d2dd5e654b850131f2a5a774ffbe8fe976bf126b893a3ff975add

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
e367e59a1181bc40f06287fb675224d5

SHA1
c62d00e0dea6fe241018219a6978fc5c7fd8cf5c

SHA256
709807a2ff5857500ac449ff3c5356b87a9e3649c132153be7dab4dd4c5c8504

SHA512
9e1630ee4b7590431ea2cd5c1bedeb3333ae3b3b0199b4124af661fd6c7954287fc08c73d0c780b004a34067f9f4c1c942ab2fd63f880a4548a40e618f6c6889

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\xsjln.cc3

Filesize
20.1MB

MD5
07853d1f93813f8f03f6358d7814d9e9

SHA1
83bfb9d83bef29de158a0a20e443657d9b86dbd1

SHA256
f7ca41d3e7e40ee9b2eecc5752043960ba6f2d74692f6937ea9c561ad3b2a7f2

SHA512
307b050f5381aa978461b8badb0c2886fd1d90feaacee8fa3f956a22d788e495169c668891bbbe5ada2baa9b4ddc7bdaa9c75a01c0de9980c2c6720a6fb0752b

Download Submit
memory/1992-24-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3620-20-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/3824-17-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/4752-10-0x0000000000400000-0x000000000044E298-memory.dmp

Filesize
312KB

Download
memory/4752-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4752-16-0x0000000000400000-0x000000000044E298-memory.dmp

Filesize
312KB

Download
memory/4948-0-0x0000000000400000-0x000000000044E298-memory.dmp

Filesize
312KB

Download
memory/4948-7-0x0000000000400000-0x000000000044E298-memory.dmp

Filesize
312KB

Download
memory/4948-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads