gh0strat | 89479065919be4eb81a9348dd813ffc6f4f0a12018a63480de16a9b3d4f73e22

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Size

710KB
MD5

21500155f442187001dd2e9371e4e21a
SHA1

4f1e9970ce02081642f36554fe897ea72f169124
SHA256

89479065919be4eb81a9348dd813ffc6f4f0a12018a63480de16a9b3d4f73e22
SHA512

621c7c8d5d80ca5f12763a3fae40d124db141e83744b900d89f9db5aa67a16e26e7bb8c393e74b04cb327ff803f3c8670c374049509a91d48563553d2d9ad67b
SSDEEP

12288:UN23D7X/plD07IRlPrEsNll+EgC8UZj1rM6rL5A3s6ba/u2CpLIxbk3+RVlk3W:UNg7TP9XbD1/Rk3tORVlk3W

Score

10^/10

gh0strat evasion rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1464-4-0x0000000000400000-0x000000000058F000-memory.dmp	family_gh0strat
behavioral2/files/0x00080000000235e7-6.dat	family_gh0strat
behavioral2/files/0x000b0000000235ef-15.dat	family_gh0strat
behavioral2/memory/1464-17-0x0000000000400000-0x000000000058F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
2256	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe
2256	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeRestorePrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeBackupPrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeRestorePrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeBackupPrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeRestorePrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeBackupPrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Token: SeRestorePrivilege	1464	21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\temp2.gif

Filesize
105KB

MD5
648f927dd8fcb0ffdac042788659e472

SHA1
1cab65c17b369a4e3411744ba6879ad14e27d3da

SHA256
a4221ac068766150ae831b81cde293cae38fb1984c648522a563c1d48ca4750e

SHA512
7d11a74755cb3007fdf1f34f44098402ccaf0a5833d009e25e7f54d1c42bdfb1c1025437468960700d8e8c708c7240ab93efbe2d802c16da7735434420e34bfb

Download Submit
\??\c:\program files (x86)\xtuv\dtuvwxyab.jpg

Filesize
5.0MB

MD5
10395761bcd5271af1cce7bdee8cab2e

SHA1
b262e1f3190c78cc74e1d5264ce82e0a9c75faba

SHA256
96b893ef9cd60e2d36c10d504fe45140c91d706c9ef8bb95ee4fc6051ccb9a84

SHA512
013a3938e5b201baf06ca8fe894d8d32b4b53852b55cc90fe354b3d3377386cc6f054a066e8798b9d83d9311853d0de211eca7b52a982d7ac034e70097dd0d0a

Download Submit
memory/1464-0-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1464-1-0x0000000077784000-0x0000000077786000-memory.dmp

Filesize
8KB

Download
memory/1464-3-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1464-4-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1464-17-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download