gh0strat | 67aaebb921160aec17aa7d48bb77b2519eaf461010b9da9c230266b370aae76f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
Size

301KB
MD5

191e1fa80c755544d07fed8949a2b962
SHA1

f9aac34463369e856dbd7d04b89adbf13bc88bfd
SHA256

67aaebb921160aec17aa7d48bb77b2519eaf461010b9da9c230266b370aae76f
SHA512

2ba41da2815d21ff30f67f25342a9ce19f4bf276001137e6f55bbb631e54e1f70d79e2be748908c5b962f95a8309bcd503ba660dc676038fb5787d4a296333fc
SSDEEP

6144:Nm9gegaIZT3Ye77MfKjJaV8gyccBdYHEzoI86PEpw0OfFpA9FlYb:igegltYe7IfKjJWyccBqHEzoxw0aVb

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2208-32-0x0000000000400000-0x000000000048F000-memory.dmp	family_gh0strat
behavioral1/files/0x0009000000015561-45.dat	family_gh0strat
behavioral1/memory/2720-47-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2208-76-0x0000000000400000-0x000000000048F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\amd32_.sys	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1676	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2996	hjrwo.exe
2720	kthjr.exe
2764	thjrw.exe

Loads dropped DLL 16 IoCs

pid	Process
2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
2996	hjrwo.exe
2996	hjrwo.exe
2996	hjrwo.exe
2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
2720	kthjr.exe
2720	kthjr.exe
2720	kthjr.exe
2720	kthjr.exe
2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
2764	thjrw.exe
2764	thjrw.exe
2764	thjrw.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	kthjr.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loveuu.bat	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
File created	C:\Program Files\brijgrwm\kthjr.dll	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\qiuqiu.cpp	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqiu.cpp	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
File created	C:\Program Files\brijgrwm\thjrw.exe	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
File created	C:\Program Files\brijgrwm\kthjr.exe	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
File created	C:\Program Files\brijgrwm\hjrwo.exe	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2824	sc.exe
2792	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kthjr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	kthjr.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32	thjrw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	thjrw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}	thjrw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	kthjr.exe
2720	kthjr.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2996	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	28
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2996 wrote to memory of 2692	2996	hjrwo.exe	29
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2720	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2824	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	34
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2792	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2208 wrote to memory of 2764	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	38
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2764 wrote to memory of 1660	2764	thjrw.exe	39
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1676	2208	191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\191e1fa80c755544d07fed8949a2b962_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files\brijgrwm\hjrwo.exe
  "C:\Program Files\brijgrwm\hjrwo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Program Files\brijgrwm\hjrwo.exe
    3⤵
    PID:2692
- C:\Program Files\brijgrwm\kthjr.exe
  "C:\Program Files\brijgrwm\kthjr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:2824
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:2792
- C:\Program Files\brijgrwm\thjrw.exe
  "C:\Program Files\brijgrwm\thjrw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\PROGRA~1\brijgrwm\thjrw.exe
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\191E1F~1.EXE
  2⤵
  - Deletes itself
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\brijgrwm\kthjr.dll

Filesize
33.4MB

MD5
a1b6a9bd16e3e59d5003493bdf77e904

SHA1
fca296c307db51266a07969a063a7ac0d221e027

SHA256
fd479856ee6ea7d81f4458f8abed6ac9f54bb4adf261de98b86caab4bac915b2

SHA512
9e321d48a76d20de2c50bb0ec5a922a0a76c0f78aa673eb7c10975222adc7485aa001447352360033b73db0b50b6e16a00b20e80f710a04194e06a2103858815

Download Submit
\Program Files\brijgrwm\hjrwo.exe

Filesize
8.5MB

MD5
35c708991171ca253304e7cfaf1255ba

SHA1
046396753ace7d1f20b3f0792ccb57e37d0ee85e

SHA256
17ac52cdc90c47b30d02f7b6889a4086212e24cffdeb659489081060cd79c59f

SHA512
c121bfecfe1a84af6ec80dde36b35e8a5746c7e9ab530712c76867c0e09f06826b97ac57cf5d16eb87d07be08973e33f280b759cf53b77e6c8ba63b4c908c63a

Download Submit
\Program Files\brijgrwm\kthjr.exe

Filesize
8.5MB

MD5
3da795df60b4fb44cf6dd5753126268a

SHA1
b32f3b1649ffd2dc9a2459a7bf196bafb312b958

SHA256
0942edcda186126c86dfe52d0c8ba9956fb39105e1d1cced9957d32d705f6a45

SHA512
f5e86ee8f328f6af8f477cba3b700ea7f2aac3d67dc80c5292b72249e9d64eae9c87a5514c43d20ee54359a3db6589bc1f5b0b813d65af0dcd32b92d9bcae682

Download Submit
\Program Files\brijgrwm\thjrw.exe

Filesize
8.5MB

MD5
36106321aa43dd8ae2cf8eb8cc2c36ac

SHA1
8cc7d45eafe764360dc3eef1eef514aafe21f85a

SHA256
90069238f7c35679229b67299e1c7793a03f5286d021f99539a7c6a8a09623bd

SHA512
600bf8fbf25dba237349e23d084d2354819e044e2f325d3ccecd734393a067575dd988bc83b130e6ed4d9a011bae72ba9bcc769f6abeaacc4199491ad0535def

Download Submit
memory/2208-33-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2208-23-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2208-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2208-4-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2208-12-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/2208-72-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2208-74-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2208-75-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2208-62-0x00000000003B0000-0x00000000003B4000-memory.dmp

Filesize
16KB

Download
memory/2208-7-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2208-32-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2208-0-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2208-3-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2208-2-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2208-76-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2208-56-0x00000000003B0000-0x00000000003B4000-memory.dmp

Filesize
16KB

Download
memory/2208-1-0x0000000000240000-0x00000000002CF000-memory.dmp

Filesize
572KB

Download
memory/2720-49-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2720-47-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2764-71-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download
memory/2764-63-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download
memory/2764-70-0x0000000000030000-0x0000000000034000-memory.dmp

Filesize
16KB

Download
memory/2764-69-0x0000000000030000-0x0000000000034000-memory.dmp

Filesize
16KB

Download
memory/2764-68-0x0000000000030000-0x0000000000034000-memory.dmp

Filesize
16KB

Download
memory/2996-27-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2996-24-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2996-25-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2996-26-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download