gh0strat | 33b840aad4985d882b0c3f693b2f809b6f90f3ad5824db70f8721ade9befe1f2

General

Target

52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe
Size

144KB
MD5

52f4cc475bb2d26643911e24a0fbcd2e
SHA1

daa56e8f913a0e7fd100b9352bc493185b836205
SHA256

33b840aad4985d882b0c3f693b2f809b6f90f3ad5824db70f8721ade9befe1f2
SHA512

6f75fdd9c471f7287d8a8d62944c5b6e6f7458b3309b12b5062240d45bb3cbd40512f3c48b1dc0e0b8c12f9929daa69e5c6f1d67cf36dfbafd99ef25f6cf2e24
SSDEEP

3072:jCsYL2yBf6l7T93e4qht2Axc1ejihAyuRfGo3J5db5l:fhyae4St2w7OZ+/Xr

Score

10^/10

gh0strat runningrat persistence rat vmprotect

Malware Config

Extracted

Family

gh0strat

C2

aiac.f3322.net

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023417-3.dat	family_gh0strat
behavioral2/memory/1516-6-0x0000000000400000-0x0000000000450000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

RunningRat payload 1 IoCs

resource	yara_rule
behavioral2/memory/1516-1-0x0000000000400000-0x0000000000450000-memory.dmp	family_runningrat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CertPropSvc\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240599546.dll"	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1516-0-0x0000000000400000-0x0000000000450000-memory.dmp	vmprotect
behavioral2/memory/1516-1-0x0000000000400000-0x0000000000450000-memory.dmp	vmprotect
behavioral2/memory/1516-6-0x0000000000400000-0x0000000000450000-memory.dmp	vmprotect

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\240599546.dll	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4964	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe
1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2620	1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe	82
PID 1516 wrote to memory of 2620	1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe	82
PID 1516 wrote to memory of 2620	1516	52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe	82
PID 2620 wrote to memory of 4964	2620	cmd.exe	84
PID 2620 wrote to memory of 4964	2620	cmd.exe	84
PID 2620 wrote to memory of 4964	2620	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\240599546.dll

Filesize
37KB

MD5
b623304c1ab787882a5e69709bb2adfb

SHA1
02f3d53e8fce05f3fcc8157d392dd4d18ef91754

SHA256
fc2a35e4937b24ec62d9aa7a437b690ea907111722fdbf7f12d3e9a0a4fc46c7

SHA512
3f08b3e8555c44ee2376e6d386e1b5bd6faaa64f2d480eb7459ca24cdafb31d1d3e4b83c3d16da99c31d1bca8f1ab273514afe551558a5d85998495e522aefd2

Download Submit
memory/1516-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1516-1-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1516-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads