gh0strat | dea1eb2076ae50fcbf957bc4d16b821feafecfff19412866688898c55096d6a4

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe
Size

96KB
MD5

0e65d41d8af3502c4e0ff743e282f2fb
SHA1

af0c603c5fe9cf5cb5ce23f81a657ebd01ee8e43
SHA256

dea1eb2076ae50fcbf957bc4d16b821feafecfff19412866688898c55096d6a4
SHA512

e8559db28b40e3d44e2ca700f84e33a7c6d3b7780d85316f9eb24eeda0e267fe4dda6e7591ab9848b54d01fc1ce4d1c5649d665f82ff71ef555a1e2671610586
SSDEEP

1536:ahFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prDH5VXeteq5ag:a3S4jHS8q/3nTzePCwNUh4E975FTqQg

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fc-15.dat	family_gh0strat
behavioral2/memory/232-17-0x0000000000400000-0x000000000044E308-memory.dmp	family_gh0strat
behavioral2/memory/348-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3560-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/856-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
232	conftdcrbk

Executes dropped EXE 1 IoCs

pid	Process
232	conftdcrbk

Loads dropped DLL 3 IoCs

pid	Process
348	svchost.exe
3560	svchost.exe
856	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\tpklhspqhg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\txyepusoub	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\thwrapntul	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3816	348	WerFault.exe	83
472	3560	WerFault.exe	87
1680	856	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	conftdcrbk
232	conftdcrbk

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	232	conftdcrbk
Token: SeBackupPrivilege	232	conftdcrbk
Token: SeBackupPrivilege	232	conftdcrbk
Token: SeRestorePrivilege	232	conftdcrbk
Token: SeBackupPrivilege	348	svchost.exe
Token: SeRestorePrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeSecurityPrivilege	348	svchost.exe
Token: SeSecurityPrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeSecurityPrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeSecurityPrivilege	348	svchost.exe
Token: SeBackupPrivilege	348	svchost.exe
Token: SeRestorePrivilege	348	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeRestorePrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeSecurityPrivilege	3560	svchost.exe
Token: SeSecurityPrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeSecurityPrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeSecurityPrivilege	3560	svchost.exe
Token: SeBackupPrivilege	3560	svchost.exe
Token: SeRestorePrivilege	3560	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 232	2544	0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe	82
PID 2544 wrote to memory of 232	2544	0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe	82
PID 2544 wrote to memory of 232	2544	0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- \??\c:\users\admin\appdata\local\conftdcrbk
  "C:\Users\Admin\AppData\Local\Temp\0e65d41d8af3502c4e0ff743e282f2fb_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0e65d41d8af3502c4e0ff743e282f2fb_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 824
  2⤵
  - Program crash
  PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 348 -ip 348
1⤵
PID:3232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1036
  2⤵
  - Program crash
  PID:472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3560 -ip 3560
1⤵
PID:4048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1108
  2⤵
  - Program crash
  PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 856 -ip 856
1⤵
PID:3512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\conftdcrbk

Filesize
24.5MB

MD5
ba88732da8593ad08bbcf4cb3222870c

SHA1
700da7086a47f2d34de27ca5d0a44cebc41e78d3

SHA256
cbfd824b164d67e21265bddbbdd4a992fed8b81624e9e461ff5c29dbf8109b35

SHA512
f9acdbb7b919d0b1498404921c126389cebb92d0f4fffafaefa9d768103bdae39e5c2962ed3dcf156bb25e82e5d9c3e84063b8257e6c0af2f1b42d1b1e274d5c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
c8ae890b5c6ea697348b4d30ceeb1b06

SHA1
b7a01ac2b3c0db3bf422a06d2cceb7d28a253a91

SHA256
9d3c207ea78865075e92163546d47ece9ab3bf0f19f016d283fa8d338e117d2f

SHA512
24eab3c3a76b2d08d45f3451846c45012d0a9b754884b25a8321d4c7599b06cb6c850572f30c5c90f4341f3140269b3b7a5d3937e5dbfcade244241a48aeb3b2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
264B

MD5
316d0c7992e156e39a06056daea51f42

SHA1
b7c614cb5713054d9d1fd3702fc9f5c4f7567975

SHA256
eae6ff04f1b52173851dcbc2397db9439e9ae9f6f74bc93441234c77aa6f09d5

SHA512
82f5cf75a02666f339a8b2953cd67cf185dbfa37c4bfdfe56b309e4dfa07ff5a715d1c4ab6ee46aa4624d20c5693d92addf261381a671c064bb295c8c277be0a

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\gsrjr.cc3

Filesize
22.0MB

MD5
9b8140ff4757769e9e7a799d5f24ce01

SHA1
684891cdc896aec5bd28be388cbb142bdc2a53b6

SHA256
7c63d895fa17e933261c5c4ba64f7ee3dcb267d4b4f542f269c2820f514bd538

SHA512
6c8944507662f9b548dd0e179fb43c5ec19441dc2c0807e22ce1932b9d8b568ad1e3a045f8072d42791b34087a63d51493a9b65c93771bb3bbe959c75445485d

Download Submit
memory/232-17-0x0000000000400000-0x000000000044E308-memory.dmp

Filesize
312KB

Download
memory/232-12-0x0000000000400000-0x000000000044E308-memory.dmp

Filesize
312KB

Download
memory/232-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/348-18-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/348-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/856-27-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/856-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2544-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2544-10-0x0000000000400000-0x000000000044E308-memory.dmp

Filesize
312KB

Download
memory/2544-1-0x0000000000400000-0x000000000044E308-memory.dmp

Filesize
312KB

Download
memory/3560-22-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3560-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download