gh0strat | 29431dc086499c7ee64236a365615be5e5c861452f047ffac5656120ece59266

Analysis

max time kernel
135s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

341381d3ac281fc1b3900be117f67274_JaffaCakes118.dll
Size

87KB
MD5

341381d3ac281fc1b3900be117f67274
SHA1

06948ab527ae415f32ed4b0f0d70be4a86b364a5
SHA256

29431dc086499c7ee64236a365615be5e5c861452f047ffac5656120ece59266
SHA512

19bae1b28db2d0efdcebf22187c1a9a02a257ef63f4f29864339ef0864f7455fcb538f9f020c29d5549d023e97536a7f48ed2baa63fdeeb43918ca64c8b694cf
SSDEEP

1536:oORSuuEJOj8AxibBeNSjd9g/VlDAu/7a3i+yjbRBJ28DLtY:Ruxj8zBPLIrDaRyXRRtY

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/3004-12-0x0000000010000000-0x0000000010022000-memory.dmp	family_gh0strat
behavioral1/memory/3004-13-0x0000000010000000-0x0000000010022000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	3004	rundll32.exe
5	3004	rundll32.exe
6	3004	rundll32.exe
7	3004	rundll32.exe
8	3004	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
3004	rundll32.exe
3004	rundll32.exe
3004	rundll32.exe
3004	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysRat = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemRat.dll RunningRat"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 1368 wrote to memory of 2056	1368	rundll32.exe	28
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29
PID 2056 wrote to memory of 3004	2056	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\341381d3ac281fc1b3900be117f67274_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\341381d3ac281fc1b3900be117f67274_JaffaCakes118.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemRat.dll RunningRat
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\Public\result.log

Filesize
299B

MD5
be3f30de90635c5317d340ac31994349

SHA1
57e90c1facf6adae5ca219259342add0694ed200

SHA256
2fe015ae1827db259b0d4ff9ea036500a6614800bad824c13261a691243cada5

SHA512
1b7e941f77f199402d639bb25f67183c23c5a58440fc1f6360d5dec1e122331e65f7071067f42586ad0e43507e9aee5a031951a4305e8a7954f9c4c88ff47bc2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemRat.dll

Filesize
87KB

MD5
341381d3ac281fc1b3900be117f67274

SHA1
06948ab527ae415f32ed4b0f0d70be4a86b364a5

SHA256
29431dc086499c7ee64236a365615be5e5c861452f047ffac5656120ece59266

SHA512
19bae1b28db2d0efdcebf22187c1a9a02a257ef63f4f29864339ef0864f7455fcb538f9f020c29d5549d023e97536a7f48ed2baa63fdeeb43918ca64c8b694cf

Download Submit
memory/3004-12-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/3004-13-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads