gh0strat | 4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9

General

Target

28791769da9ed51d070020058e9c172c_JaffaCakes118.exe
Size

112KB
MD5

28791769da9ed51d070020058e9c172c
SHA1

a9060e5b1c51da2b213917cec15a0ff51aecde05
SHA256

4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9
SHA512

04ea27c1cfe4f4937cdaf204c3883bd395b289e400bf51fa945ca24fecc4813f626e3920445db5fcaa22b1cfdf8ca0922779a87ee993d1dfac7695237d8d1973
SSDEEP

1536:vqEA70HzLJksPEOajozLElnqiO2UdJ/tHi:vXTLJkQ7zAV3mtC

Score

10^/10

gh0strat persistence rat

Malware Config

Extracted

Family

gh0strat

C2

1.234.27.25

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014267-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRDSL\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\259421925.dll"	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1724	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1036	SRDSL.exe

Loads dropped DLL 7 IoCs

pid	Process
2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe
1716	svchost.exe
1716	svchost.exe
1036	SRDSL.exe
1036	SRDSL.exe
1036	SRDSL.exe
1036	SRDSL.exe

Creates a Windows Service
persistence

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SRDSL.exe	svchost.exe
File created	C:\Windows\SysWOW64\SRDSL.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\259421925.dll	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2208	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1724	2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe	30
PID 2020 wrote to memory of 1724	2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe	30
PID 2020 wrote to memory of 1724	2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe	30
PID 2020 wrote to memory of 1724	2020	28791769da9ed51d070020058e9c172c_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2208	1724	cmd.exe	32
PID 1724 wrote to memory of 2208	1724	cmd.exe	32
PID 1724 wrote to memory of 2208	1724	cmd.exe	32
PID 1724 wrote to memory of 2208	1724	cmd.exe	32
PID 1716 wrote to memory of 1036	1716	svchost.exe	33
PID 1716 wrote to memory of 1036	1716	svchost.exe	33
PID 1716 wrote to memory of 1036	1716	svchost.exe	33
PID 1716 wrote to memory of 1036	1716	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\28791769da9ed51d070020058e9c172c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28791769da9ed51d070020058e9c172c_JaffaCakes118.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\28791769da9ed51d070020058e9c172c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:2208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SRDSL"
1⤵
PID:2080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SRDSL"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\SRDSL.exe
  C:\Windows\system32\SRDSL.exe "c:\program files (x86)\google\259421925.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Google\259421925.dll

Filesize
37KB

MD5
824ee7b538e849cf006eeaa43f908392

SHA1
f8f0f86144fd9b8e7a7165b483527a61e22ba4c4

SHA256
a627c5126a8f6a4d3293b26221976ce5f0bbf514e97ec5c54a07560fb748c9aa

SHA512
8f8d559ef9ae64a569cbc8efb4602a5189ad2eb81f89e44c0fb7d4e29fa21e284c0aad5290a012eb51386eeaf07d66bc54e507f4337fce894cddff9a489286df

Download Submit
\Windows\SysWOW64\SRDSL.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads