gh0strat | d0c0bcafa5418dba43f3a86a7d91270d8ce8ef42c5cd66bb25c6672cdf022b66

Analysis

max time kernel
94s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 07:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe
Size

96KB
MD5

27ab87898138d1f36d5ab65bca84dd02
SHA1

efad7a5c4e2755769b0e2fde4df5a0439a278360
SHA256

d0c0bcafa5418dba43f3a86a7d91270d8ce8ef42c5cd66bb25c6672cdf022b66
SHA512

aba0ccc8b654cf7e69851535c5d80af0295185b25cd78468565bc4fd90385403d519f539877f44484642ae316a2df3f98ef829b5e49ab2e6d087da2aa7abc1a9
SSDEEP

1536:caFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prt9w/NZtEdkP+:cAS4jHS8q/3nTzePCwNUh4E9tCFfE2P+

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234a9-15.dat	family_gh0strat
behavioral2/memory/5116-17-0x0000000000400000-0x000000000044E330-memory.dmp	family_gh0strat
behavioral2/memory/2184-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3548-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4392-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
5116	lfdifuwore

Executes dropped EXE 1 IoCs

pid	Process
5116	lfdifuwore

Loads dropped DLL 3 IoCs

pid	Process
2184	svchost.exe
3548	svchost.exe
4392	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wjjloomqqa	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\wbusglksde	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\wbusglksde	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1176	2184	WerFault.exe	86
388	3548	WerFault.exe	90
2172	4392	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5116	lfdifuwore
5116	lfdifuwore

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5116	lfdifuwore
Token: SeBackupPrivilege	5116	lfdifuwore
Token: SeBackupPrivilege	5116	lfdifuwore
Token: SeRestorePrivilege	5116	lfdifuwore
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeRestorePrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeSecurityPrivilege	3548	svchost.exe
Token: SeBackupPrivilege	3548	svchost.exe
Token: SeRestorePrivilege	3548	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeRestorePrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeSecurityPrivilege	4392	svchost.exe
Token: SeSecurityPrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeSecurityPrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeSecurityPrivilege	4392	svchost.exe
Token: SeBackupPrivilege	4392	svchost.exe
Token: SeRestorePrivilege	4392	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 5116	4984	27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe	85
PID 4984 wrote to memory of 5116	4984	27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe	85
PID 4984 wrote to memory of 5116	4984	27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- \??\c:\users\admin\appdata\local\lfdifuwore
  "C:\Users\Admin\AppData\Local\Temp\27ab87898138d1f36d5ab65bca84dd02_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\27ab87898138d1f36d5ab65bca84dd02_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 756
  2⤵
  - Program crash
  PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2184 -ip 2184
1⤵
PID:412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1100
  2⤵
  - Program crash
  PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3548 -ip 3548
1⤵
PID:4816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1104
  2⤵
  - Program crash
  PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4392 -ip 4392
1⤵
PID:4872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lfdifuwore

Filesize
21.3MB

MD5
340ea1d21eab46924770aabb21cf5a1e

SHA1
f4aac75db170979c1b620f2d7c6d09a55bf2b5e3

SHA256
519de363f12177d35b8abcdbb8d04187907da7a9dfd205a750e2e187fb2499df

SHA512
6d9e780ed916a379805e9aaf0e900445573806ea4a3b78de309e8c47774707a267b760cd8c202437c273fc5e9b37ea5e4aab04efd272c19c135843dac506a3f2

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
198B

MD5
a0ff154aba5fcb5ea182b8a9c47ddad9

SHA1
0bb1b72719fe0f7920c8c585dc3e2f8ddc1e7b80

SHA256
d443858f8fea6db2da997f58c63a57df2dc461b594d6f93f546ffd962b5fc1f0

SHA512
10adc25a184da5710e6e396a41df734bbafef0de0c95f7d84a340deb0f552a2beb380baf79aa75ec3d924b1ee6c599fd643e808f19576afd339cfbc7ae477878

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
297B

MD5
d2f9ff0f3de7ff1748a6b38190758af4

SHA1
e47950d947301272b7b90ad122bd9f93f58190a9

SHA256
900e54bb042740f8418160ae25887545fe2f8863102db6381eb085685b0ccc4c

SHA512
099f914cd5b13b45b87554dcabea79314688ca96752824ac6d51a69323d18485215e37d5dcf6f492c85367b44feb5acd0cfeada40f505b21dc276bbcc56104ef

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\muhel.cc3

Filesize
19.1MB

MD5
ac05e04e05978cb2bc29b38bdc55f5e1

SHA1
d57dfe9f4fd78747e21c4f6e03faadb7737fb7ca

SHA256
e89f6eb314f68f99f54fd2e058a6d63f60707ba040c3dd96dadbda0fa813e630

SHA512
8268fd5c83848373d0d79bb88e48e8eed77a014999301a6a6da824dd2471c86a39a168ef9c84636b065cd2a9b727a2aea077f3b03df1783791ec503bd05ffe7a

Download Submit
memory/2184-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2184-18-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/3548-22-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3548-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4392-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4984-8-0x0000000000400000-0x000000000044E330-memory.dmp

Filesize
312KB

Download
memory/4984-0-0x0000000000400000-0x000000000044E330-memory.dmp

Filesize
312KB

Download
memory/4984-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/5116-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/5116-17-0x0000000000400000-0x000000000044E330-memory.dmp

Filesize
312KB

Download
memory/5116-9-0x0000000000400000-0x000000000044E330-memory.dmp

Filesize
312KB

Download