gh0strat | 3fd9d905d9b08c22bb5517bd4e6a1d95c5e0c2deba4fda089b7ff5dac1343810

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe
Size

196KB
MD5

1667bc2ccace57daf8068ab201dc0996
SHA1

7bf309aa53e691f6c168ccf2d2d05628855f33d2
SHA256

3fd9d905d9b08c22bb5517bd4e6a1d95c5e0c2deba4fda089b7ff5dac1343810
SHA512

e346239c0a43b0ee96aab8f023586a3139e985e99caad6f95c961625ad305c16564995c96d2b4691f63021e5b9aee49eef6ef2f52b8a027b8440e01118c68396
SSDEEP

3072:iIXD6tSGloVFwz8BD0cjRTyVwdUE3AZnC69NJ09sTpwWwo:izlQwz8BDpWwOUA1C6rTuWf

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014457-8.dat	family_gh0strat
behavioral1/files/0x0039000000014709-16.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2660	RUNDLL32.exe
5	2660	RUNDLL32.exe

Executes dropped EXE 1 IoCs

pid	Process
2976	OATH.EXE

Loads dropped DLL 1 IoCs

pid	Process
2660	RUNDLL32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\Program Files\WINDOWSS.INI	OATH.EXE
File created	C:\Program Files\temp0\QQ.exe	OATH.EXE
File opened for modification	C:\Program Files\temp0\QQ.exe	OATH.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2488	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2976	OATH.EXE
2976	OATH.EXE
2976	OATH.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2976	2932	1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2976	2932	1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2976	2932	1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2976	2932	1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2488	2976	OATH.EXE	29
PID 2976 wrote to memory of 2488	2976	OATH.EXE	29
PID 2976 wrote to memory of 2488	2976	OATH.EXE	29
PID 2976 wrote to memory of 2488	2976	OATH.EXE	29
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 2660	2976	OATH.EXE	31
PID 2976 wrote to memory of 1556	2976	OATH.EXE	33
PID 2976 wrote to memory of 1556	2976	OATH.EXE	33
PID 2976 wrote to memory of 1556	2976	OATH.EXE	33
PID 2976 wrote to memory of 1556	2976	OATH.EXE	33

C:\Users\Admin\AppData\Local\Temp\1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\OATH.EXE
  "C:\OATH.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im KSafeTray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\RUNDLL32.exe
    RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c afc9fe2f418b00a0.bat
    3⤵
    PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\OATH.EXE

Filesize
172KB

MD5
a006cb4129f531243592629f040c9d94

SHA1
c121bff36f16b42ac308556a08b6addab945f250

SHA256
a5da7a8f657772cee923b5c3d320096418172df7be8830095bab3d226e2d9730

SHA512
89d6135a15fe8b98915ad648a9bf7e6e961b07d7c3280560aec1d334be2af2a94d3e268ec131ff29ffe118f2f637d25883e57e4ae76be5cbf6029cd86f9b4d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
1c986aff5f096275f33a8458137e1619

SHA1
28f976a3467e5dbccdcf67843ccc1e6a00a9d125

SHA256
50c9ab50bbc41c759d697e4638eb518517f127d6d674c801b03654a1b224441c

SHA512
27f26ef9ce4185250d892ac80a0af629c98bbb8a13103ca9f77d09d4cfa7f1f27b2a90643ac2daf4decfcddd1c70deab4fec4d3b995d3360fc8bc0428bf4db50

Download Submit
\??\c:\Program Files\WINDOWSS.INI

Filesize
10.3MB

MD5
798ba40c2af669b0eee2a598dadf0759

SHA1
4c384c78513fc28f4fb612f7f9f014255e77d3c9

SHA256
f63539d1a59625f0c460a17496e619bdcd88e6587523cf74c7104da8431a798d

SHA512
5d02d5823e10f64f02b517accab3b80fb02cb43fbadefcba0e1a81c57e61f754a92896c417131bf3b34c3069d5752a6242c1ba96afda31e5ffdbed5dbf4f8ea0

Download Submit