gh0strat | 83c63881c74615713912233cd38bba032174ba605644d8e142f7bb207081ad93 | Triage

Submit
Reports

Overview

overview

Static

static

7

262a3d65ee...18.exe

windows7-x64

262a3d65ee...18.exe

windows10-2004-x64

Sharing

General

Target

262a3d65ee164c547a7f54447464c47b_JaffaCakes118
Size

815KB
Sample

240704-zmvt7ayank
MD5

262a3d65ee164c547a7f54447464c47b
SHA1

86e1684153eccad2c07e26bd87d2aebef7fb6779
SHA256

83c63881c74615713912233cd38bba032174ba605644d8e142f7bb207081ad93
SHA512

960bf71dfc60627acfd3b6e9463f7f7458c8a6001bb69d327d03cf33bf08e2f85723bce24079da91b35ef5d99c600dd87e175fdaf03c236218a683fd555374f1
SSDEEP

12288:J4vqmbCG6JrmL+qhzt7fz+7nBd1c87hmAd8G:J4vDbGFmBPzzsbc8b1

Score

10^/10

gh0strat evasion persistence rat upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

262a3d65ee164c547a7f54447464c47b_JaffaCakes118.exe

Resource

win7-20240704-en

gh0strat persistence rat upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

262a3d65ee164c547a7f54447464c47b_JaffaCakes118.exe

Resource

win10v2004-20240704-en

gh0strat evasion rat upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  262a3d65ee164c547a7f54447464c47b_JaffaCakes118
- Size
  
  815KB
- MD5
  
  262a3d65ee164c547a7f54447464c47b
- SHA1
  
  86e1684153eccad2c07e26bd87d2aebef7fb6779
- SHA256
  
  83c63881c74615713912233cd38bba032174ba605644d8e142f7bb207081ad93
- SHA512
  
  960bf71dfc60627acfd3b6e9463f7f7458c8a6001bb69d327d03cf33bf08e2f85723bce24079da91b35ef5d99c600dd87e175fdaf03c236218a683fd555374f1
- SSDEEP
  
  12288:J4vqmbCG6JrmL+qhzt7fz+7nBd1c87hmAd8G:J4vDbGFmBPzzsbc8b1
Score

10^/10

gh0strat persistence rat upx evasion
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Modifies firewall policy service
  evasion
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistenceratupx

behavioral2

gh0stratevasionratupx

© 2018-2025

Terms | Privacy