gh0strat | a997a35f57b80da86eeb8fbf74fe82b3dc44adac2f4e85364c250a59a677540c | Triage

Submit
Reports

Overview

overview

Static

static

7

4cdd8a1e35...18.exe

windows7-x64

4cdd8a1e35...18.exe

windows10-2004-x64

Sharing

General

Target

4cdd8a1e35b69ac641523db139e401af_JaffaCakes118
Size

34KB
Sample

240516-y39slseg3s
MD5

4cdd8a1e35b69ac641523db139e401af
SHA1

5907953486632332fc8524eaa18040fa4034e666
SHA256

a997a35f57b80da86eeb8fbf74fe82b3dc44adac2f4e85364c250a59a677540c
SHA512

e4b68cd5459cb33c703f40a09d4a0f6cb9962478ccc6720b46a8656bb427f0f4c44b827719ffc626a1857157fc4da24e8fa30e55437f833d3f6aef02bd96f4a2
SSDEEP

768:iw/iOWTK3JWhOM/qZh7UJGcZ/RzdUKRFvnbcuyD7UHLAj:RQK52fqZSIAZS2nouy88j

Score

10^/10

gh0strat runningrat persistence rat upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

4cdd8a1e35b69ac641523db139e401af_JaffaCakes118.exe

Resource

win7-20240508-en

gh0strat runningrat persistence rat upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

4cdd8a1e35b69ac641523db139e401af_JaffaCakes118.exe

Resource

win10v2004-20240426-en

gh0strat runningrat persistence rat upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

post.f2pool.info

Targets

- Target
  
  4cdd8a1e35b69ac641523db139e401af_JaffaCakes118
- Size
  
  34KB
- MD5
  
  4cdd8a1e35b69ac641523db139e401af
- SHA1
  
  5907953486632332fc8524eaa18040fa4034e666
- SHA256
  
  a997a35f57b80da86eeb8fbf74fe82b3dc44adac2f4e85364c250a59a677540c
- SHA512
  
  e4b68cd5459cb33c703f40a09d4a0f6cb9962478ccc6720b46a8656bb427f0f4c44b827719ffc626a1857157fc4da24e8fa30e55437f833d3f6aef02bd96f4a2
- SSDEEP
  
  768:iw/iOWTK3JWhOM/qZh7UJGcZ/RzdUKRFvnbcuyD7UHLAj:RQK52fqZSIAZS2nouy88j
Score

10^/10

gh0strat runningrat persistence rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Creates a Windows Service
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratrunningratpersistenceratupx

behavioral2

gh0stratrunningratpersistenceratupx

© 2018-2024

Terms | Privacy