gh0strat | 9ce8f4adb285e1f9bd1d32a089c5598b5f2118e3f0a4b3365cc054bd5159cd87

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 06:53

Target

27a0cda73c6388c45e0494b66176b0e9_JaffaCakes118.dll
Size

97KB
MD5

27a0cda73c6388c45e0494b66176b0e9
SHA1

17ef2e85b9494f4437ec3a8e0c842f97d4e2254c
SHA256

9ce8f4adb285e1f9bd1d32a089c5598b5f2118e3f0a4b3365cc054bd5159cd87
SHA512

970b3eb74ab590c6e90985da134d55a8c440e4fbd7641a98c39836fa00e8183fd6290527df2be353ed5f8c50adeb49d1aa3b98d8da8357a3d9e953fc4a05c61c
SSDEEP

1536:APFJHJ3XUPD4XMod7GS/bcbHFfB18wnkrsKIksm3fXOx:4FzQD4X979/bUH9B18BrsKIksmvXOx

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/3044-1-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat
behavioral1/memory/3044-0-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat
behavioral1/memory/3044-2-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat
behavioral1/memory/3044-3-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28
PID 3036 wrote to memory of 3044	3036	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27a0cda73c6388c45e0494b66176b0e9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\27a0cda73c6388c45e0494b66176b0e9_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Drivers directory
  PID:3044

memory/3044-1-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3044-0-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3044-2-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3044-3-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download