gh0strat | c43c059a947c3053ae46797cb45987e054806550b0cdcde5d7b14c114cfb8143

General

Target

2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
Size

828KB
MD5

2c5da13302dd76586a5a47ebdad2ec6f
SHA1

8fcafa3fa0c0f6776cb3600c06a8abffd46d211b
SHA256

c43c059a947c3053ae46797cb45987e054806550b0cdcde5d7b14c114cfb8143
SHA512

4fb9e26536234f029d25bd0cf6983fd313f557274f6466bd00925ea79393f74de2c87daf074573fdaa0fdc6bc9ac8a8404a3dbd85f8e8ff03fbf8171755b7594
SSDEEP

24576:5uSHcRYux5i7lo5u1cboJ7SJ0/u3frlAkevHPoHmr9a:kzK05izS8u3Tu3a

Score

10^/10

gh0strat evasion persistence rat themida

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120f8-9.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{jdcxefml-btle-iimh-nglc-fprbencbrejy}	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{jdcxefml-btle-iimh-nglc-fprbencbrejy}\ = "ÏµÍ³ÉèÖÃ"	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{jdcxefml-btle-iimh-nglc-fprbencbrejy}\stubpath = "C:\\Windows\\system32\\inlsmacbt.exe"	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	inlsmacbt.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	inlsmacbt.exe

Loads dropped DLL 4 IoCs

pid	Process
2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
2968	inlsmacbt.exe
2968	inlsmacbt.exe
2968	inlsmacbt.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x0000000000586000-memory.dmp	themida
behavioral1/files/0x00090000000120f8-9.dat	themida
behavioral1/memory/2668-11-0x0000000000400000-0x0000000000586000-memory.dmp	themida
behavioral1/memory/2968-20-0x0000000000400000-0x0000000000586000-memory.dmp	themida

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inlsmacbt.exe	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inlsmacbt.exe_lang.ini	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inlsmacbt.exe_lang.ini	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
2968	inlsmacbt.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
2968	inlsmacbt.exe
2968	inlsmacbt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
Token: SeDebugPrivilege	2968	inlsmacbt.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2968	2668	2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe	30
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31
PID 2968 wrote to memory of 288	2968	inlsmacbt.exe	31

C:\Users\Admin\AppData\Local\Temp\2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c5da13302dd76586a5a47ebdad2ec6f_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\inlsmacbt.exe
  C:\Windows\system32\inlsmacbt.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259454981_lang.dll

Filesize
114KB

MD5
8ba777cd818a8947d03c2f0e97eba407

SHA1
a69d69f4eeeab4d46ac7e45e7f6e86d73fb9ef36

SHA256
a3fad415359d93ad8fa101fd665340f00294e4871b1225dde423b3c14c30e1a3

SHA512
804010be4c9874f1e65442fa7448d0a1da63b265666581faf53c3cce837d3d63789256b4d1c703bb08cd434898f501192e51e1950fe515aa7b2ea581d7b8cce5

Download Submit
C:\Windows\SysWOW64\inlsmacbt.exe

Filesize
828KB

MD5
b464464379945bebfb20ea1a8cdfd863

SHA1
934548af7a43503a78047e2916796c3e9b36a360

SHA256
a021d4c75afc0b444d06d823bbc6844186439e366a6a80aa5963495e9634a8ec

SHA512
90bef811461b8b82dffe9a50480e34144f9ebda13698bc376b7f844d43d44a05a6d9ca2f8155b60044e25c42e3ec1eb6e92d48eb64c9465aecaf7547847300ae

Download Submit
memory/288-19-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000000C90000-0x0000000000E16000-memory.dmp

Filesize
1.5MB

Download
memory/2668-0-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2668-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2668-11-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2968-16-0x0000000000D20000-0x0000000000EA6000-memory.dmp

Filesize
1.5MB

Download
memory/2968-21-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2968-20-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads