gh0strat | 83fbb1cb049ba2fb7cad60ac4d8e518c0c1c445fa869bd9750c9e84cfb489333

General

Target

fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
Size

169KB
MD5

fc4896edc72ba726eebda2271be493f6
SHA1

b8fe3933906ba8988925dfabf924dbce6ced6436
SHA256

83fbb1cb049ba2fb7cad60ac4d8e518c0c1c445fa869bd9750c9e84cfb489333
SHA512

ef9bede22f5019bd48eafdc4ed6d70a2755088d264ff592fe57ce2e01463f67a7160f741ad1ca4d88038c6768ad96b84af37a71f585b493d773c79036b669517
SSDEEP

3072:ALk395hYXJNuhV+g4yidNvJJngaWMY4n6tVojmTic+BSLLpjJj:AQqG+9yYNvJJnnjKiDBALBJj

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-18-0x0000000000400000-0x0000000000444000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

20061193428.exe

pid process

2940 20061193428.exe

pid	process
2940	20061193428.exe

Loads dropped DLL 5 IoCs

Processes:

fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe20061193428.exe

pid	process
2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
2940	20061193428.exe
2940	20061193428.exe
2940	20061193428.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

20061193428.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\WINDOWS\\Ball.exe"	20061193428.exe

Drops file in System32 directory 1 IoCs

Processes:

20061193428.exe

description ioc process

File created C:\WINDOWS\SysWOW64\ctfmon.exe 20061193428.exe
Drops file in Program Files directory 1 IoCs

Processes:

fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe

description ioc process

File created C:\Program Files (x86)\Common Files\20061193428.exe fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
Drops file in Windows directory 2 IoCs

Processes:

20061193428.exe

description ioc process

File created C:\WINDOWS\Ball.exe 20061193428.exe
File opened for modification C:\WINDOWS\Ball.exe 20061193428.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

20061193428.exe

pid process

2940 20061193428.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\ctfmon.exe	20061193428.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\20061193428.exe	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe

description	ioc	process
File created	C:\WINDOWS\Ball.exe	20061193428.exe
File opened for modification	C:\WINDOWS\Ball.exe	20061193428.exe

pid	process
2940	20061193428.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe

description	pid	process	target process
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe
PID 2644 wrote to memory of 2940	2644	fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe	20061193428.exe

C:\Users\Admin\AppData\Local\Temp\fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc4896edc72ba726eebda2271be493f6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Common Files\20061193428.exe
"C:\Program Files (x86)\Common Files\20061193428.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Common Files\20061193428.exe
Filesize
5.1MB

MD5
d7be2f31187feee86d852ce5ffa0b1fd

SHA1
a57fbcca22e1f4d178d811844cdefaa9537ebaef

SHA256
d2fda291f12be94897b3b2567a99730b08bbc1b843c0599cd2cd770bf21bb0c6

SHA512
02fd85e11889c502b1e3b895d44e25b726b81a38ec5e8d125a23d832f75d115a83d12115a334f399b41ca9aa8db11d4b23a5000c0def573d9b257dddca23fc4c

Download Submit
memory/2644-9-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/2644-4-0x0000000002A50000-0x0000000002A94000-memory.dmp

Filesize
272KB

Download
memory/2940-16-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2940-15-0x00000000008B0000-0x00000000008F4000-memory.dmp

Filesize
272KB

Download
memory/2940-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-19-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2940-21-0x00000000008B0000-0x00000000008F4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads