gh0strat | cd3968485cbf7e19d8e878d0ced801ac5ce81ee693775bd45ced1942a6f28b64 | Triage

Submit
Reports

Overview

overview

Static

static

fc51d8fe5f...18.exe

windows7-x64

fc51d8fe5f...18.exe

windows10-2004-x64

Sharing

General

Target

fc51d8fe5fd73fa0c27e04c096af2e6d_JaffaCakes118
Size

259KB
Sample

240420-j461sach8w
MD5

fc51d8fe5fd73fa0c27e04c096af2e6d
SHA1

9ec0b1d55b24fd103a0b5d3313a8346cc33d427d
SHA256

cd3968485cbf7e19d8e878d0ced801ac5ce81ee693775bd45ced1942a6f28b64
SHA512

99ec0c421fe0f39838e6b258cce37948be315936f418713b8968f1ab35afc4ddf4a2c448ddbef9a62576cee67c1598d32ee34d1c9370ceb9c4cec3c6487689c8
SSDEEP

6144:IMTAIMq/rEx2Etkd1Qh6zZxfnlwFsWPRpJf6IK/eyEPoGwBnY:Irgoxazj/lw6WnJ0eJPoxVY

Score

10^/10

gh0strat persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

fc51d8fe5fd73fa0c27e04c096af2e6d_JaffaCakes118.exe

Resource

win7-20240220-en

gh0strat persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

fc51d8fe5fd73fa0c27e04c096af2e6d_JaffaCakes118.exe

Resource

win10v2004-20240226-en

gh0strat persistence rat

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  fc51d8fe5fd73fa0c27e04c096af2e6d_JaffaCakes118
- Size
  
  259KB
- MD5
  
  fc51d8fe5fd73fa0c27e04c096af2e6d
- SHA1
  
  9ec0b1d55b24fd103a0b5d3313a8346cc33d427d
- SHA256
  
  cd3968485cbf7e19d8e878d0ced801ac5ce81ee693775bd45ced1942a6f28b64
- SHA512
  
  99ec0c421fe0f39838e6b258cce37948be315936f418713b8968f1ab35afc4ddf4a2c448ddbef9a62576cee67c1598d32ee34d1c9370ceb9c4cec3c6487689c8
- SSDEEP
  
  6144:IMTAIMq/rEx2Etkd1Qh6zZxfnlwFsWPRpJf6IK/eyEPoGwBnY:Irgoxazj/lw6WnJ0eJPoxVY
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Modifies Installed Components in the registry
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2024

Terms | Privacy