gh0strat | 69c76860e3a61433477775a119b35990e6bf454ad3043297719c982f0622f6f9

General

Target

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
Size

228KB
MD5

fadd86bfd0250d08feed223ca5c6179a
SHA1

8ebd295336c0bbe50a24efab5e19ecd2e7d27269
SHA256

69c76860e3a61433477775a119b35990e6bf454ad3043297719c982f0622f6f9
SHA512

198afdfecb4dc07d76fe10984ec1495d8a7bc4c7e03353fe8e0c69bd21853d749e4615272192ca7eb5f2bcf4cf75d94ea7f45dbf2f66d96796795217637fd055
SSDEEP

6144:m4Rf/sRhI3qFLy298gWNlPTGQQm6agrd:3Z8S3tpNtTird

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2956-18-0x0000000002560000-0x00000000025AC000-memory.dmp	family_gh0strat
behavioral2/memory/2956-20-0x0000000002560000-0x00000000025AC000-memory.dmp	family_gh0strat
behavioral2/memory/2956-19-0x0000000002560000-0x00000000025AC000-memory.dmp	family_gh0strat
behavioral2/memory/2956-21-0x0000000002560000-0x00000000025AC000-memory.dmp	family_gh0strat
behavioral2/memory/2956-23-0x0000000002560000-0x00000000025AC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Drops file in System32 directory 1 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Default fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
Runs net.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Default	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

pid	process
2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

pid process

2956 fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2956 fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exenet.exe

description	pid	process	target process
PID 2956 wrote to memory of 3028	2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 2956 wrote to memory of 3028	2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 2956 wrote to memory of 3028	2956	fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe	net.exe
PID 3028 wrote to memory of 5012	3028	net.exe	net1.exe
PID 3028 wrote to memory of 5012	3028	net.exe	net1.exe
PID 3028 wrote to memory of 5012	3028	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fadd86bfd0250d08feed223ca5c6179a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
2⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
3⤵
PID:5012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2956-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2956-1-0x0000000000A70000-0x0000000000AB3000-memory.dmp

Filesize
268KB

Download
memory/2956-2-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2956-3-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2956-4-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2956-5-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2956-6-0x0000000000B60000-0x0000000000B62000-memory.dmp

Filesize
8KB

Download
memory/2956-7-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2956-8-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2956-9-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2956-10-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2956-11-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2956-12-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2956-13-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2956-14-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2956-15-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2956-16-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/2956-18-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/2956-20-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/2956-19-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/2956-21-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/2956-23-0x0000000002560000-0x00000000025AC000-memory.dmp

Filesize
304KB

Download
memory/2956-25-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2956-26-0x0000000000A70000-0x0000000000AB3000-memory.dmp

Filesize
268KB

Download
memory/2956-27-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads