gh0strat | 69c76860e3a61433477775a119b35990e6bf454ad3043297719c982f0622f6f9

General

Target

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
Size

228KB
MD5

fadd86bfd0250d08feed223ca5c6179a
SHA1

8ebd295336c0bbe50a24efab5e19ecd2e7d27269
SHA256

69c76860e3a61433477775a119b35990e6bf454ad3043297719c982f0622f6f9
SHA512

198afdfecb4dc07d76fe10984ec1495d8a7bc4c7e03353fe8e0c69bd21853d749e4615272192ca7eb5f2bcf4cf75d94ea7f45dbf2f66d96796795217637fd055
SSDEEP

6144:m4Rf/sRhI3qFLy298gWNlPTGQQm6agrd:3Z8S3tpNtTird

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2904-19-0x0000000002300000-0x000000000234C000-memory.dmp	family_gh0strat
behavioral1/memory/2904-20-0x0000000002300000-0x000000000234C000-memory.dmp	family_gh0strat
behavioral1/memory/2904-22-0x0000000002300000-0x000000000234C000-memory.dmp	family_gh0strat
behavioral1/memory/2904-24-0x0000000002300000-0x000000000234C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
Runs net.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

pid	process
2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

pid process

2904 fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2904 fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exenet.exe

description	pid	process	target process
PID 2904 wrote to memory of 1980	2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 2904 wrote to memory of 1980	2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 2904 wrote to memory of 1980	2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 2904 wrote to memory of 1980	2904	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 1980 wrote to memory of 3044	1980	net.exe	net1.exe
PID 1980 wrote to memory of 3044	1980	net.exe	net1.exe
PID 1980 wrote to memory of 3044	1980	net.exe	net1.exe
PID 1980 wrote to memory of 3044	1980	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
3⤵
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2904-1-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2904-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2904-11-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2904-10-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2904-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2904-8-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2904-7-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2904-6-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/2904-5-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2904-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2904-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2904-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2904-14-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2904-13-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2904-12-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2904-15-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2904-16-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download
memory/2904-18-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download
memory/2904-19-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download
memory/2904-20-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download
memory/2904-22-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download
memory/2904-24-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download
memory/2904-25-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2904-26-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads