gh0strat | 1dc6a4e5fabf3ae648d3f7f4e58bb45c584b59fd4a0323de02e59765114c6d9c

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 01:18

Target

2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
Size

234KB
MD5

2a79e41003bd0be1b9c05478d701b6e0
SHA1

1c16edc78c6e535cdf0e4e44ac6e45453949eacf
SHA256

1dc6a4e5fabf3ae648d3f7f4e58bb45c584b59fd4a0323de02e59765114c6d9c
SHA512

d0b5c37d75cdfdd95bc3e1695ecd56cf346f5c2eb51d505d47b49425bdbc2ec7ff7a78acad25be9591f73a8ba55935fe2ba07215563c73ff9a40d49946671095
SSDEEP

3072:WpTBizAiqdhoCylcf76jFLm5qfuMq8Z+FqXs8cDNqR/nu5/ABslHk:WpVSqdwFq5qmM+F1rDYnQ/Ab

Score

10^/10

gh0strat rat

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2612-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_gh0strat
behavioral1/files/0x0008000000016d46-6.dat	family_gh0strat
behavioral1/memory/2776-7-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat
behavioral1/memory/2776-9-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat
behavioral1/memory/2776-12-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2776	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\linkinfo.dll	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
File opened for modification	C:\Windows\linkinfo.dll	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
2612	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2612	2976	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2612	2976	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2612	2976	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	30
PID 2976 wrote to memory of 2612	2976	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2320	2612	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	31
PID 2612 wrote to memory of 2320	2612	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	31
PID 2612 wrote to memory of 2320	2612	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	31
PID 2612 wrote to memory of 2320	2612	2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2776	2320	cmd.exe	33
PID 2320 wrote to memory of 2776	2320	cmd.exe	33
PID 2320 wrote to memory of 2776	2320	cmd.exe	33
PID 2320 wrote to memory of 2776	2320	cmd.exe	33
PID 2320 wrote to memory of 2776	2320	cmd.exe	33
PID 2320 wrote to memory of 2776	2320	cmd.exe	33
PID 2320 wrote to memory of 2776	2320	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2a79e41003bd0be1b9c05478d701b6e0_JaffaCakes118.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rundll32.exe C:\Windows\linkinfo.dll hi
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\linkinfo.dll hi
      4⤵
      Deletes itself
      Suspicious behavior: GetForegroundWindowSpam
      PID:2776

C:\Windows\linkinfo.dll

Filesize
119KB

MD5
4b0142479deed1971340aa9a30a4f440

SHA1
c6664a423710289805f935798b2ac232d7d0caba

SHA256
6486435e19bcb0054eed429d20e441a889ac0a02bd12e3ba17eea2cee485d78b

SHA512
74a72a726f2b625342c3d55579050bc1938cc866ea629f71cf293e0648d1a4e43af4f623ec96f93eba86efca216e37ab3f5211e015e45101372f811663db8f1d

Download Submit
memory/2612-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2776-7-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2776-9-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2776-12-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2976-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-1-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2976-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download