gh0strat | 5d176047bf863b5efbc3da771af58acba1a59f933807aec5bc0929e71822e7a8 | Triage

Resubmissions

27/06/2024, 12:49 UTC

240627-p2twbsscpa 10

27/06/2024, 12:45 UTC

240627-py2f1avanr 10

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 12:45 UTC

Sharing

Report Analysis Logs

General

Target

160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe
Size

96KB
MD5

160f0df132f7ef72bb0925d66fc9fc7f
SHA1

508c55d6ff391df0b4e4efdd7786bdaffd10a23d
SHA256

5d176047bf863b5efbc3da771af58acba1a59f933807aec5bc0929e71822e7a8
SHA512

15c764d6aca16fcb01d8fbe8a9a3944643ada7a739a9fab1102729451e49efbb3750b8fd258fd96fad5b786ff93aa6c89b0bde0d0f8e4e12ee29af9973d6cf6e
SSDEEP

1536:8uFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8przeoobQdbNcO0sJ:8US4jHS8q/3nTzePCwNUh4E9zeoVPWsJ

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013404-20.dat	family_gh0strat
behavioral1/memory/1084-22-0x0000000000400000-0x000000000044E360-memory.dmp	family_gh0strat
behavioral1/memory/2272-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2272-27-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1084	hncrnfktpv

Executes dropped EXE 1 IoCs

pid	Process
1084	hncrnfktpv

Loads dropped DLL 3 IoCs

pid	Process
2372	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe
2372	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe
2272	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kfseyilnnd	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1084	hncrnfktpv
2272	svchost.exe
2272	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1084	hncrnfktpv
Token: SeBackupPrivilege	1084	hncrnfktpv
Token: SeBackupPrivilege	1084	hncrnfktpv
Token: SeRestorePrivilege	1084	hncrnfktpv
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeRestorePrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeSecurityPrivilege	2272	svchost.exe
Token: SeSecurityPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeSecurityPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeSecurityPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	2272	svchost.exe
Token: SeRestorePrivilege	2272	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1084	2372	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1084	2372	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1084	2372	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1084	2372	160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372
- \??\c:\users\admin\appdata\local\hncrnfktpv
  "C:\Users\Admin\AppData\Local\Temp\160f0df132f7ef72bb0925d66fc9fc7f_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\160f0df132f7ef72bb0925d66fc9fc7f_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

Network

DNS

bibo9.8800.org

netsvcs

Remote address:

8.8.8.8:53

Request

bibo9.8800.org

IN A

Response

bibo9.8800.org

IN A

59.24.3.174
DNS

conf.f.360.cn

netsvcs

Remote address:

8.8.8.8:53

Request

conf.f.360.cn

IN A

Response

conf.f.360.cn

IN CNAME

conf.f.qh-lb.com

conf.f.qh-lb.com

IN A

180.163.222.151

conf.f.qh-lb.com

IN A

180.163.243.109
DNS

bibo9.8800.org

netsvcs

Remote address:

8.8.8.8:53

Request

bibo9.8800.org

IN A

Response

bibo9.8800.org

IN A

93.46.8.90

59.24.3.174:889

bibo9.8800.org

netsvcs

152 B
3
93.46.8.90:889

bibo9.8800.org

netsvcs

52 B
1

8.8.8.8:53

bibo9.8800.org

dns

netsvcs

60 B
76 B
1
1

DNS Request

bibo9.8800.org

DNS Response

59.24.3.174
8.8.8.8:53

conf.f.360.cn

dns

netsvcs

59 B
121 B
1
1

DNS Request

conf.f.360.cn

DNS Response

180.163.222.151

180.163.243.109
8.8.8.8:53

bibo9.8800.org

dns

netsvcs

60 B
76 B
1
1

DNS Request

bibo9.8800.org

DNS Response

93.46.8.90

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\application data\storm\update\%sessionname%\xbhpq.cc3

Filesize
20.0MB

MD5
2751caf1130dd296ebc2fbd054203bde

SHA1
317ba0cdf0a01be6a12578e7f2c6d7820174fc42

SHA256
42c683c1c6a59bc5b018abf70f79dcfa5300cfaab3f65f4c3f4184cf9c21d7fc

SHA512
59eb05773a0789650a29f863f9edcce27641ac4752b46e7fbff949fbf8b6f0176ed13742d1e611cf08c1cf7f6fc76014db7ab558085a4a1594cc0dc6b23c343d

Download Submit
\Users\Admin\AppData\Local\hncrnfktpv

Filesize
23.4MB

MD5
c9d25b27b24056c1d85a4b47b7ad6bec

SHA1
e0658f61f37a7b6a39edcc22508b7c5aa5b2e7c8

SHA256
8fcc11c16e9b58f528304bb5d60186658e1ad697b3080f314d04daa15df1c66c

SHA512
eb4cae0074c8fce316c363e1c5d14bea810a925eef8c5c77cd55441aebdb7544a1ba070fbdc4f9bd3aefb7710a3db3c892a15ff13ce3dbcf5b1e2ceef8744b5d

Download Submit
memory/1084-17-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1084-16-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/1084-22-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/2272-23-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2272-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2272-27-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2372-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download
memory/2372-6-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2372-13-0x0000000000400000-0x000000000044E360-memory.dmp

Filesize
312KB

Download