gh0strat | 3004f18014de5ee7f6277d52f32d2abb1ce031de723d9f89d7d1eccb55c540c2

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Size

102KB
MD5

18c06f01cf38c8ffa606a40409a3d8da
SHA1

8788c277330a7d01db55e0ccee44ef4c9d9d4be8
SHA256

3004f18014de5ee7f6277d52f32d2abb1ce031de723d9f89d7d1eccb55c540c2
SHA512

8fa06e8f6e9b9c72330d92f3be76c82094b08005c9dc696ebfecce8d9ae66663784d652ad1fc1c161e97234cf51d376ce030a83513fc3d4c01e75f40fcf66388
SSDEEP

1536:/K4w+WDos64mc9ntOouY/U2E0LhBam+vqPySONSHvPNv25T4Jg0US4rQ00OxrZ9K:/KtNo54mc9tOXKy9QHnZx1ZsF9YbKy

Score

10^/10

gh0strat evasion execution rat

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000132ef-1.dat	family_gh0strat
behavioral1/memory/1932-3-0x0000000000220000-0x000000000023C000-memory.dmp	family_gh0strat
behavioral1/memory/2592-7-0x0000000000401000-0x000000000041C000-memory.dmp	family_gh0strat
behavioral1/memory/2592-8-0x0000000000400000-0x000000000041B3B0-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2592	SETUP.EXE

Loads dropped DLL 1 IoCs

pid	Process
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1744	sc.exe
2432	sc.exe
2700	sc.exe
1264	sc.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
1672	taskkill.exe
2460	taskkill.exe
2620	taskkill.exe
2984	taskkill.exe
2724	taskkill.exe
2808	taskkill.exe
1800	taskkill.exe
2096	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1640	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	28
PID 1932 wrote to memory of 1640	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	28
PID 1932 wrote to memory of 1640	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	28
PID 1932 wrote to memory of 1640	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2216	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	29
PID 1932 wrote to memory of 2216	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	29
PID 1932 wrote to memory of 2216	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	29
PID 1932 wrote to memory of 2216	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	29
PID 1932 wrote to memory of 2572	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2572	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2572	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2572	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	30
PID 1932 wrote to memory of 1264	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	31
PID 1932 wrote to memory of 1264	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	31
PID 1932 wrote to memory of 1264	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	31
PID 1932 wrote to memory of 1264	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2096	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	33
PID 1932 wrote to memory of 2096	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	33
PID 1932 wrote to memory of 2096	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	33
PID 1932 wrote to memory of 2096	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	33
PID 1932 wrote to memory of 1800	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	34
PID 1932 wrote to memory of 1800	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	34
PID 1932 wrote to memory of 1800	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	34
PID 1932 wrote to memory of 1800	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	34
PID 1932 wrote to memory of 1744	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1744	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1744	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1744	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1672	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	37
PID 1932 wrote to memory of 1672	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	37
PID 1932 wrote to memory of 1672	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	37
PID 1932 wrote to memory of 1672	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	37
PID 1932 wrote to memory of 2460	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	38
PID 1932 wrote to memory of 2460	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	38
PID 1932 wrote to memory of 2460	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	38
PID 1932 wrote to memory of 2460	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	38
PID 1932 wrote to memory of 1668	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	40
PID 1932 wrote to memory of 1668	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	40
PID 1932 wrote to memory of 1668	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	40
PID 1932 wrote to memory of 1668	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	40
PID 1932 wrote to memory of 2832	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	42
PID 1932 wrote to memory of 2832	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	42
PID 1932 wrote to memory of 2832	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	42
PID 1932 wrote to memory of 2832	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	42
PID 1932 wrote to memory of 2320	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2320	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2320	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2320	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2432	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	45
PID 1932 wrote to memory of 2432	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	45
PID 1932 wrote to memory of 2432	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	45
PID 1932 wrote to memory of 2432	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	45
PID 1932 wrote to memory of 2984	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	46
PID 1932 wrote to memory of 2984	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	46
PID 1932 wrote to memory of 2984	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	46
PID 1932 wrote to memory of 2984	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	46
PID 1932 wrote to memory of 2620	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	50
PID 1932 wrote to memory of 2620	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	50
PID 1932 wrote to memory of 2620	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	50
PID 1932 wrote to memory of 2620	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	50
PID 1932 wrote to memory of 2700	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	52
PID 1932 wrote to memory of 2700	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	52
PID 1932 wrote to memory of 2700	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	52
PID 1932 wrote to memory of 2700	1932	18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18c06f01cf38c8ffa606a40409a3d8da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2744
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2508
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2604
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:1264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:1744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2496
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2804
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:276
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\NTDUBECT.EXE
  2⤵
  - Deletes itself
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
108KB

MD5
efaf8b165f6af21f645763443b196461

SHA1
e19f69628acab41030dafd75a7e186b34f7e8b61

SHA256
e4ba3e66c55fa1baba8f99e2704cc1d55e9909adbd99c1a48cebc17deffa95c0

SHA512
3fd5383f3950dccef385a27818ca4cef93cdb42ca985401cde5a1ca9b7d9a3131c9b6163cceef98520563a241dfda3dd5e8f01bc164691835cbfe30b1c5f799b

Download Submit
memory/1932-3-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2592-7-0x0000000000401000-0x000000000041C000-memory.dmp

Filesize
108KB

Download
memory/2592-8-0x0000000000400000-0x000000000041B3B0-memory.dmp

Filesize
108KB

Download