gh0strat | c07c011568614e3119d36a67fa208666c276f3500ca3ad1a156177c9e63cec70

General

Target

fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe
Size

95KB
MD5

fc750f6c7b4c57b368e7c01aff4399ed
SHA1

eacd83ebf16c89c0f90f9399bacc3db273df058f
SHA256

c07c011568614e3119d36a67fa208666c276f3500ca3ad1a156177c9e63cec70
SHA512

e9b1ca25c6a7db5c59c518d804750d68555a60ee371609807014245484054687eac8fbc652b10665205b4733420d5e37619e693a20b5febaa735f49427382f19
SSDEEP

1536:aMJFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8priIQmwpd:aMfS4jHS8q/3nTzePCwNUh4E9iy0d

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
\??\c:\programdata\application data\storm\update\%sessionname%\fkyre.cc3	family_gh0strat
behavioral2/memory/1916-15-0x0000000000400000-0x000000000044C60F-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

bstotfnyfw

pid process

1916 bstotfnyfw
Executes dropped EXE 1 IoCs

Processes:

bstotfnyfw

pid process

1916 bstotfnyfw
Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

3968 svchost.exe
5096 svchost.exe
3436 svchost.exe

pid	process
1916	bstotfnyfw

pid	process
1916	bstotfnyfw

pid	process
3968	svchost.exe
5096	svchost.exe
3436	svchost.exe

Drops file in System32 directory 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\tfhodjpcnf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tfxtcsxubq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\txlkxnyram	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\toowotenad	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3248 3968 WerFault.exe svchost.exe
2040 5096 WerFault.exe svchost.exe
4284 3436 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bstotfnyfw

pid process

1916 bstotfnyfw
1916 bstotfnyfw

pid	pid_target	process	target process
3248	3968	WerFault.exe	svchost.exe
2040	5096	WerFault.exe	svchost.exe
4284	3436	WerFault.exe	svchost.exe

pid	process
1916	bstotfnyfw
1916	bstotfnyfw

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

bstotfnyfwsvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	1916	bstotfnyfw
Token: SeBackupPrivilege	1916	bstotfnyfw
Token: SeBackupPrivilege	1916	bstotfnyfw
Token: SeRestorePrivilege	1916	bstotfnyfw
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeRestorePrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeSecurityPrivilege	3968	svchost.exe
Token: SeSecurityPrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeSecurityPrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeSecurityPrivilege	3968	svchost.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeRestorePrivilege	3968	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeRestorePrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	5096	svchost.exe
Token: SeSecurityPrivilege	5096	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeRestorePrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeSecurityPrivilege	3436	svchost.exe
Token: SeSecurityPrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeSecurityPrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeSecurityPrivilege	3436	svchost.exe
Token: SeBackupPrivilege	3436	svchost.exe
Token: SeRestorePrivilege	3436	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe

description	pid	process	target process
PID 1904 wrote to memory of 1916	1904	fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe	bstotfnyfw
PID 1904 wrote to memory of 1916	1904	fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe	bstotfnyfw
PID 1904 wrote to memory of 1916	1904	fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe	bstotfnyfw

C:\Users\Admin\AppData\Local\Temp\fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

\??\c:\users\admin\appdata\local\bstotfnyfw
"C:\Users\Admin\AppData\Local\Temp\fc750f6c7b4c57b368e7c01aff4399ed_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\fc750f6c7b4c57b368e7c01aff4399ed_jaffacakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1124
2⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3968 -ip 3968
1⤵
PID:3252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1104
2⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5096 -ip 5096
1⤵
PID:1804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 892
2⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3436 -ip 3436
1⤵
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bstotfnyfw
Filesize
23.1MB

MD5
cd6adc217369fa3ba7309efb3976c0c2

SHA1
2c7b4a1a926b083b7583633ad800fa3820c98437

SHA256
9b446a9196d7af47760f55b3823fd06bafc88de1ac7281d84901d621b8b03495

SHA512
827b9ad2fa19c5172e4df5de8a23fa168a4796afb0dd585a0119cd4c822030bb62d2d1965275eabcad35ac1a586ef63718e54d583e8a2f0fa80d69def1d33c46

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
201B

MD5
3e031d43cbe675af8cc34ebbedd1778a

SHA1
86c3712d603a80438417d63378f39fb08fe03b83

SHA256
1ff45f9f89d12105755d00ac5c4f8465d40fdcaece83e6f9df6f9e17c785a982

SHA512
c116943816244c7d2167eaf2725efeb47ac5111911d10ede6dc2c24a65434aa3bc4b42c332ab2bc0958a7c2b8edf33f4906cc3941697f1b8d54643873a3abcd2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt
Filesize
301B

MD5
fad94333877e9548ed8d041094033e81

SHA1
02f155d19d3f4e15a61a2aef45afb8c44c2ad0aa

SHA256
3b1e210e597f321941f1401fb2e131bfaaaea76a29d1bc75d4ebbad4d8e72e16

SHA512
f47efb9a53d4b7ae856478f16c6f98f2affa2c198622e565e3d50770e29c830ce754ec93b929a84076ad443479e2940ca59e8b54e0943d583911c20b613a3fc2

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\fkyre.cc3
Filesize
19.0MB

MD5
bfab3c23b0420546b693831f26724cfa

SHA1
301da2f45646dd456f8838a694f64447980f6e43

SHA256
979afd88722510a556c609e0508414fb0e2ac98ef0efa982d00a1c2607ac9689

SHA512
0339145eeaca321595d549bcafc541aeca1dc11bc4f0b991170527e7d39b3e90acb33ce55e5520fdd45088f499b3e71f6e7dd7d2cb4161b02d2dedfc8cc9fc4a

Download Submit
memory/1904-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1904-0-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/1904-10-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/1916-7-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/1916-15-0x0000000000400000-0x000000000044C60F-memory.dmp

Filesize
305KB

Download
memory/1916-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3436-25-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/3968-18-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/5096-21-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads