gh0strat | 7e369b433e521746f6351f7ac7d8509100016fb2721b603a783087097738b1df

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 17:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2321b9b07158d4900583c338dd4aaa48_JaffaCakes118.exe
Size

91KB
MD5

2321b9b07158d4900583c338dd4aaa48
SHA1

c70907d14f28336de5bdad5657aed58d186aa4a8
SHA256

7e369b433e521746f6351f7ac7d8509100016fb2721b603a783087097738b1df
SHA512

2bb5c7f193012b2a2dac06c5102938f8c0483cc5578d8b47c1766d6c5a1fe983393095fefcd755934c001027e5bc793d0418a0495593e41b1d00bba9924cc057
SSDEEP

1536:9Jvpm0PGt6rj5w0OqcocxrD5n6eDwDueLic+8ifnIcQ63xF+0j11BG:XvpmuGt6rj5w0Oqcoc+ekDVLi580nIc+

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2104-0-0x0000000000400000-0x0000000000419000-memory.dmp	family_gh0strat
behavioral1/memory/2104-3-0x0000000000400000-0x0000000000419000-memory.dmp	family_gh0strat
behavioral1/files/0x0036000000016c67-5.dat	family_gh0strat
behavioral1/memory/3044-6-0x0000000010000000-0x0000000010013000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\pcguard.dll"	2321b9b07158d4900583c338dd4aaa48_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3044	SVCHOST.EXE

Loads dropped DLL 1 IoCs

pid	Process
3044	SVCHOST.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2104	2321b9b07158d4900583c338dd4aaa48_JaffaCakes118.exe
2104	2321b9b07158d4900583c338dd4aaa48_JaffaCakes118.exe
3044	SVCHOST.EXE
3044	SVCHOST.EXE
3044	SVCHOST.EXE

C:\Users\Admin\AppData\Local\Temp\2321b9b07158d4900583c338dd4aaa48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2321b9b07158d4900583c338dd4aaa48_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\SysWOW64\SVCHOST.EXE
C:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Local User\pcguard.dll

Filesize
72KB

MD5
48aa18f2c741c9c81e99bf54525908b6

SHA1
b6190fd0c7b39c2baf653ceeb1a314772ab0d101

SHA256
551de1b9554f4a69459d036b91a5d206d2d4b7744285b124948ffe349093ec40

SHA512
55c02c7746d4b96b71fe410ab9bd57f428c7ee27a1c47456c3e520d7e468c3240646785dcea65ee7b3e104133f303036f667728aa4289c89b065b0ae93e3530b

Download Submit
memory/2104-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2104-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3044-6-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download