gh0strat | 5d176047bf863b5efbc3da771af58acba1a59f933807aec5bc0929e71822e7a8

Resubmissions

27/06/2024, 12:49

240627-p2twbsscpa 10

27/06/2024, 12:45

240627-py2f1avanr 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe
Size

96KB
MD5

160f0df132f7ef72bb0925d66fc9fc7f
SHA1

508c55d6ff391df0b4e4efdd7786bdaffd10a23d
SHA256

5d176047bf863b5efbc3da771af58acba1a59f933807aec5bc0929e71822e7a8
SHA512

15c764d6aca16fcb01d8fbe8a9a3944643ada7a739a9fab1102729451e49efbb3750b8fd258fd96fad5b786ff93aa6c89b0bde0d0f8e4e12ee29af9973d6cf6e
SSDEEP

1536:8uFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8przeoobQdbNcO0sJ:8US4jHS8q/3nTzePCwNUh4E9zeoVPWsJ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023455-15.dat	family_gh0strat
behavioral2/memory/2000-18-0x0000000000400000-0x000000000044E360-memory.dmp	family_gh0strat
behavioral2/memory/4476-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3352-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2720-31-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2000	cnffgdhntj

Executes dropped EXE 1 IoCs

pid	Process
2000	cnffgdhntj

Loads dropped DLL 3 IoCs

pid	Process
4476	svchost.exe
3352	svchost.exe
2720	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lgadyvkhfx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\lxmkrsijsd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\lgadyvkhfx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1416	4476	WerFault.exe	93
4480	3352	WerFault.exe	99
3488	2720	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	cnffgdhntj
2000	cnffgdhntj

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2000	cnffgdhntj
Token: SeBackupPrivilege	2000	cnffgdhntj
Token: SeBackupPrivilege	2000	cnffgdhntj
Token: SeRestorePrivilege	2000	cnffgdhntj
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeRestorePrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeSecurityPrivilege	4476	svchost.exe
Token: SeSecurityPrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeSecurityPrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeSecurityPrivilege	4476	svchost.exe
Token: SeBackupPrivilege	4476	svchost.exe
Token: SeRestorePrivilege	4476	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeRestorePrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeSecurityPrivilege	3352	svchost.exe
Token: SeSecurityPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeSecurityPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeSecurityPrivilege	3352	svchost.exe
Token: SeBackupPrivilege	3352	svchost.exe
Token: SeRestorePrivilege	3352	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeRestorePrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeSecurityPrivilege	2720	svchost.exe
Token: SeSecurityPrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeSecurityPrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeSecurityPrivilege	2720	svchost.exe
Token: SeBackupPrivilege	2720	svchost.exe
Token: SeRestorePrivilege	2720	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2000	2508	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	87
PID 2508 wrote to memory of 2000	2508	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	87
PID 2508 wrote to memory of 2000	2508	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- \??\c:\users\admin\appdata\local\cnffgdhntj
  "C:\Users\Admin\AppData\Local\Temp\160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\160f0df132f7ef72bb0925d66fc9fc7f_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1088
  2⤵
  - Program crash
  PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4476 -ip 4476
1⤵
PID:3340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 932
  2⤵
  - Program crash
  PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3352 -ip 3352
1⤵
PID:2936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1052
  2⤵
  - Program crash
  PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2720 -ip 2720
1⤵
PID:4560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cnffgdhntj

Filesize
23.9MB

MD5
3e68b365248e1d495bcb91d92d390576

SHA1
79d3183eac0ab7046733fe52cd66b391aadaf3fe

SHA256
9a8955dc21d2409bbd2a4cac846f6c42ab6194c40d407a1215e75b906744d615

SHA512
e0e127a581519915a9114a679c9793f36ae27a619ed4e42bcf63fd728e04267b8e0c9baa1eb6e1fdf18355e88d7cd9dbc84148276e885a5ebcfd50b3786b9bf0

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
64be1c410bd316526f4bbb351a54250d

SHA1
f1e1fdffa26bed28a463c4fa9740063b610b2bfa

SHA256
37023d846dd80ae85f316e166e158b081619b09b86960aa2fc443ebe17af7a68

SHA512
b1ca0e5b7f84ddd2b5238eac2747970f036b926875554ba57798b1b4ff75ddda8f7679ab6a07e9787a2883bca2036a360eae22f1a03a1a409c890463a67943f6

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
3b093e1c77930ad3c80222149c7c480b

SHA1
89623de711d607192b767a2dfeb9995a33806520

SHA256
4eb70ada9066bec5ca844751ed106a38be92c0549fef4cca2c3817bfb5f7d905

SHA512
5070401c695e570e2287489f546c03155347a59d901d73cc46cea6f2c19dffe9515a796eb4dcd1d06d5505339ae9ad9d3ae5d3941bfc33fd3179a7ee6462aef1

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\nhlig.cc3

Filesize
21.0MB

MD5
703323043260c5b92815388d54f11183

SHA1
f6434414345360a05407a81c20cbe39830716ad3

SHA256
eeb4b4d50f137d69d9bf12704eadecfc11281cc57ecb238289c7a08f0265acf9

SHA512
d4441aacb5281da73efdbd0480c5d00c0516fd735ecf8e484676396ef0642082f9aaa7e752c387959b22a48078057fbd88d76510dfbd417730fe8ccb359a2fbc

Download Submit
memory/2000-12-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/2000-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2000-18-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/2508-0-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/2508-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2508-8-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/2720-31-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2720-28-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3352-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3352-23-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/4476-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4476-19-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download