gh0strat | ddc4229965026aa9924993a918d2f9714eef2653e63177ee0d55eab29263e229

General

Target

19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe
Size

622KB
MD5

19e4e80e460be21c65b4f9c301e3f496
SHA1

70924dbf4df9f1a8f6fa71c4e3c32396af96b1ea
SHA256

ddc4229965026aa9924993a918d2f9714eef2653e63177ee0d55eab29263e229
SHA512

02b83f7f6b577e533c46dece2a4c985cc809d24eeea8fb385984558eabf38a0aa6efa09393907e673a6f795bf206aaa2ee67e99c0c8afa3260cfdf537b32cd39
SSDEEP

12288:ejx8N1mIf52F3Z4mxxzDqVTVOCFcYHwpC:etWDcQmXaVTzFcYHx

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-37.dat	family_gh0strat
behavioral2/memory/1520-40-0x0000000000400000-0x0000000000420000-memory.dmp	family_gh0strat
behavioral2/files/0x000700000002341d-46.dat	family_gh0strat
behavioral2/files/0x000700000002341e-56.dat	family_gh0strat
behavioral2/memory/1520-57-0x0000000000400000-0x0000000000420000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	temp.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	temp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1520	temp.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	temp.exe
1952	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1520	2160	19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe	81
PID 2160 wrote to memory of 1520	2160	19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe	81
PID 2160 wrote to memory of 1520	2160	19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe	81

C:\Users\Admin\AppData\Local\Temp\19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19e4e80e460be21c65b4f9c301e3f496_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Drops file in Drivers directory
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
95KB

MD5
8a416eb17fc2c3e3f6e593cd2b8a0722

SHA1
e36e61e0ecc7c0fdfb0cb863c248d8fd159a0f00

SHA256
76900af9d55d26062de3903ed69f7fc0897fdc32ea0a87aece9e9f98f0f6edcd

SHA512
aa27bede562ab4b361a3dd74de82d66d082312d3097834d92d7743d1b25c4261a1ba4e2b7359687694ed193ff0b426d4c9a8fc47f1ea21fd491d53c6e2e6a5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
113KB

MD5
137ed378b55aa82249626bec609d6464

SHA1
86c6a4c72b1c0e42d99a12be54c0659d3d62acc5

SHA256
0cc74640135237eeb16d31f80f41579a06be7207089bdd1c8bd1e5509fc2cb98

SHA512
39ff6fe64b05ad87b4e2d1229a7d8c199c4ccf5135662e4e26e03fde0b4cf09c67f2a44ab94e72758faf8c103318bc571c387e831a8f55438360ed9b7a6ab09c

Download Submit
C:\Windows\SysWOW64\install.tmp

Filesize
42B

MD5
560394dc7eb02789d863178d97329fdf

SHA1
33e11f1297ede2403116511119f408a68524b535

SHA256
5834971e6c1d68456512c113bb0bf55ba66f2ab5d57411ca92e975a2880ddfa5

SHA512
31a8b3e1ed8df34fa54f78fa2b7f7d00e3ea1a398eff357ac4cba3cfebeff92626cc999fae5b3eb0efeda712d791537193b5f6815fb300cea81533e950801502

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

Filesize
95KB

MD5
4faa094f85729f88e410e4486f5d5b04

SHA1
d3636b488018078edd33ddcf115be6ed260ddacf

SHA256
bf0e3ea3a39a3fe72d30b808ea5e2f16e038ae83ad46446382303474e7d7374e

SHA512
8c7cb823b6ae65f05c274cca007ab46f8995b7c7c60a845d2143018bd255d24856c8a250be7cf74c41d7d25a6dca732f3087d32ec3bee9dbb3f252d7f975daf8

Download Submit
memory/1520-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2160-16-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2160-13-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2160-28-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2160-27-0x0000000003230000-0x0000000003234000-memory.dmp

Filesize
16KB

Download
memory/2160-26-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2160-25-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2160-24-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2160-23-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2160-22-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2160-21-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2160-20-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2160-19-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2160-18-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2160-17-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2160-0-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2160-15-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2160-14-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2160-29-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2160-12-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2160-11-0x0000000003240000-0x0000000003242000-memory.dmp

Filesize
8KB

Download
memory/2160-10-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2160-9-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2160-8-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2160-7-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2160-5-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2160-4-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2160-2-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2160-30-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2160-3-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2160-42-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2160-48-0x00000000005D0000-0x0000000000624000-memory.dmp

Filesize
336KB

Download
memory/2160-31-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2160-32-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2160-6-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x00000000005D0000-0x0000000000624000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing