gh0strat | 0a693852ca4bbbeb1c64196a3b6fd71300337306e149b9fd3a6119b48aa71447

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230f85c7314051e503c0693c98935f46_JaffaCakes118.exe
Size

153KB
MD5

230f85c7314051e503c0693c98935f46
SHA1

ba8377965e6278e1c93eba970fa427094a4d5d9d
SHA256

0a693852ca4bbbeb1c64196a3b6fd71300337306e149b9fd3a6119b48aa71447
SHA512

8c7c0ff33312258b3eac3de0f4344efacb1c2e98fedcd056a0bbd0d4b1705ced40cfb2dd6ceacb39da53c4fe482d30860babc86ed866f805af44018bca2c6263
SSDEEP

3072:NJ/dNdJ7OwMX7cPCW9WXlXOFaSHr0HDcNPxuGeOF6outFnA:/T7OwMXo7oX8oSHr0HDw6oS2

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2968-13-0x0000000010000000-0x000000001002A000-memory.dmp	family_gh0strat
behavioral1/memory/2968-14-0x0000000010000000-0x000000001002A000-memory.dmp	family_gh0strat
behavioral1/memory/2968-18-0x0000000010000000-0x000000001002A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1275078\Parameters\ServiceDll = "C:\\Windows\\system32\\1275078.dll"	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1344	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1275078.dll	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2952	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1344	2952	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe	29
PID 2952 wrote to memory of 1344	2952	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe	29
PID 2952 wrote to memory of 1344	2952	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe	29
PID 2952 wrote to memory of 1344	2952	230f85c7314051e503c0693c98935f46_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\230f85c7314051e503c0693c98935f46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\230f85c7314051e503c0693c98935f46_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\230F85~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k 1275078
1⤵
- Loads dropped DLL
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\1275078.dll

Filesize
73KB

MD5
01dda7389c62fd054d4f12e85a49195b

SHA1
4952818fbc4da8a5c1ba5f7d77f74929fb135974

SHA256
b98f798e249858de97a1193da6f127c207227b19a06e4417d33179f79f7ae46d

SHA512
a419a16f1b163c3f75d2abe47c2c4abe7a73dac468c9312ec52e72ad24bdb9d6ec4c238dce83ebd8e2504bd3ab63f20ca06c9a8fe9a1a67347a394f89f7d0e0e

Download Submit
memory/2952-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2952-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2968-7-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2968-9-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2968-10-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2968-12-0x0000000010017000-0x0000000010027000-memory.dmp

Filesize
64KB

Download
memory/2968-13-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2968-14-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/2968-15-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2968-17-0x0000000010017000-0x0000000010027000-memory.dmp

Filesize
64KB

Download
memory/2968-18-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download