gh0strat | 78d9a3f43771a66b2ca4a3b06cb534ef477855c34d8673dc2051d8a203ffe66c

General

Target

fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe
Size

96KB
MD5

fc62e83e4105ebb4b73f995568f46e63
SHA1

7c4d494642487e8c1ffee930ef2e221238e4539a
SHA256

78d9a3f43771a66b2ca4a3b06cb534ef477855c34d8673dc2051d8a203ffe66c
SHA512

a4c5eb9866051629e6bd53badbccfdc060ea2355b7286fe35ce9f3365e1ee0e5a16e518e533b85141f94525f9fe0d9052c0cffdb342f5464f68d4ce63b722284
SSDEEP

1536:oKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pryTNH9VtWrZt:oQS4jHS8q/3nTzePCwNUh4E9yxdoZt

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\orxpd.cc3	family_gh0strat
behavioral2/memory/1068-16-0x0000000000400000-0x000000000044E21C-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

bujxqjmyvk

pid process

1068 bujxqjmyvk
Executes dropped EXE 1 IoCs

Processes:

bujxqjmyvk

pid process

1068 bujxqjmyvk
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4948 svchost.exe
1604 svchost.exe
3956 svchost.exe

pid	process
1068	bujxqjmyvk

pid	process
1068	bujxqjmyvk

pid	process
4948	svchost.exe
1604	svchost.exe
3956	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ninvvfrcli	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nqboeitayd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\nyphmlvxlx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4044 4948 WerFault.exe svchost.exe
3972 1604 WerFault.exe svchost.exe
3952 3956 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bujxqjmyvk

pid process

1068 bujxqjmyvk
1068 bujxqjmyvk

pid	pid_target	process	target process
4044	4948	WerFault.exe	svchost.exe
3972	1604	WerFault.exe	svchost.exe
3952	3956	WerFault.exe	svchost.exe

pid	process
1068	bujxqjmyvk
1068	bujxqjmyvk

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

bujxqjmyvksvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	1068	bujxqjmyvk
Token: SeBackupPrivilege	1068	bujxqjmyvk
Token: SeBackupPrivilege	1068	bujxqjmyvk
Token: SeRestorePrivilege	1068	bujxqjmyvk
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeRestorePrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeSecurityPrivilege	4948	svchost.exe
Token: SeSecurityPrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeSecurityPrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeSecurityPrivilege	4948	svchost.exe
Token: SeBackupPrivilege	4948	svchost.exe
Token: SeRestorePrivilege	4948	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeSecurityPrivilege	1604	svchost.exe
Token: SeBackupPrivilege	1604	svchost.exe
Token: SeRestorePrivilege	1604	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeRestorePrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeSecurityPrivilege	3956	svchost.exe
Token: SeBackupPrivilege	3956	svchost.exe
Token: SeRestorePrivilege	3956	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe

description	pid	process	target process
PID 2684 wrote to memory of 1068	2684	fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe	bujxqjmyvk
PID 2684 wrote to memory of 1068	2684	fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe	bujxqjmyvk
PID 2684 wrote to memory of 1068	2684	fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe	bujxqjmyvk

C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684

\??\c:\users\admin\appdata\local\bujxqjmyvk
"C:\Users\Admin\AppData\Local\Temp\fc62e83e4105ebb4b73f995568f46e63_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\fc62e83e4105ebb4b73f995568f46e63_jaffacakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 804
2⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4948 -ip 4948
1⤵
PID:1140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 668
2⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1604 -ip 1604
1⤵
PID:3580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1088
2⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3956 -ip 3956
1⤵
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.exe.txt
Filesize
200B

MD5
c07d56dc80df60d954b01be83124268b

SHA1
c1d0185dc3ddffe462a16b9c45b2d15717e18294

SHA256
f85a1691ec0a4db465476e55d458d67785ff6a60b614880cdf38351085c2fad3

SHA512
4ebef73bd9162ec04921dee107110f6634638dae7f18cb0e31c6285f33e91e06f3969d624808c11fa4899977e13dd10ba8868dd48d1e5d7260b905efdc76434b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
300B

MD5
a1066164883449d9f838cb7290db0e2b

SHA1
035e02e2da256d43e78f7dea962bb550d20c6937

SHA256
43a0054c0e16fe50efbde02c3dd2446369fcf7a2593900be8a33508ffa92bad6

SHA512
ea78545352e283b962d522bc512c929ff506af776b702d41c42ed1946918c31329e88a7d0678b29f05f80cbb2489ade908b8883444717d7b08abc618eb1f2bec

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\orxpd.cc3
Filesize
20.0MB

MD5
9af5aa4dd29797b94dff9e1e96bc5eff

SHA1
9e3ef4daa13dc5c6e162d490357f0d8c7203f951

SHA256
6f72028646f40e5f2b68c441260aec78116085bface946536aecf0d4dcec2300

SHA512
4fdc25942513ae07fcb11c00b4c0edfad1dc456da2a4a6fb7d1697b090e59b3ca1c1c820bac0279f8c0302265358f23f5819aa0a68376cb0dad94b424850bc35

Download Submit
\??\c:\users\admin\appdata\local\bujxqjmyvk
Filesize
20.2MB

MD5
7a3ea066dc80435e839279ac56775be3

SHA1
7cbf91408220ac6f1854efef0a3cebb30788e30f

SHA256
a7403233ef7077dadf1491ef76b2ff6277422481caafe158c897cfaab6a806d1

SHA512
bb5f2042820b00fd5de25282af57f9b6c6c55fb44dc91fdeb4a6b31cf621780fd9c06e9b280d51cc614362eabcea6c140733e1f435a92108af5d2f3b70d1f443

Download Submit
memory/1068-16-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/1068-10-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/1068-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1604-20-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/2684-0-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/2684-7-0x0000000000400000-0x000000000044E21C-memory.dmp

Filesize
312KB

Download
memory/2684-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3956-24-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/4948-17-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads