gh0strat | 6426d30c2ea733e1518219eba8c3d70ebc3d6e98106f513c56f6ade6b93eb03c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

3248fb9094...18.exe

windows7-x64

3248fb9094...18.exe

windows10-2004-x64

Sharing

General

Target

3248fb9094e25aa840005b9c763e2b00_JaffaCakes118
Size

188KB
Sample

240709-2p3nxszhkk
MD5

3248fb9094e25aa840005b9c763e2b00
SHA1

cacb6cdb354d4f8f8ce6ecd84a249bd4e849d6bd
SHA256

6426d30c2ea733e1518219eba8c3d70ebc3d6e98106f513c56f6ade6b93eb03c
SHA512

fad7db4f0df830a0856e286b4c2421b8e641bbf31766c277d4f083bdade1c64060f700be25ff0a55e27f32e153ea0aabdb4f90d4f47225e2b4d0a48d0404c3ce
SSDEEP

3072:lO3IMonogaQNJDVAkAEftr/TE9qnUkG+k+g0C7Ed51OO0nf9z8f+srZrNg:9ogaQLVAEtbT9nUzf7+51/6S+GZh

Score

10^/10

gh0strat bootkit persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe

Resource

win7-20240704-en

gh0strat persistence rat

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe

Resource

win10v2004-20240709-en

gh0strat bootkit persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  3248fb9094e25aa840005b9c763e2b00_JaffaCakes118
- Size
  
  188KB
- MD5
  
  3248fb9094e25aa840005b9c763e2b00
- SHA1
  
  cacb6cdb354d4f8f8ce6ecd84a249bd4e849d6bd
- SHA256
  
  6426d30c2ea733e1518219eba8c3d70ebc3d6e98106f513c56f6ade6b93eb03c
- SHA512
  
  fad7db4f0df830a0856e286b4c2421b8e641bbf31766c277d4f083bdade1c64060f700be25ff0a55e27f32e153ea0aabdb4f90d4f47225e2b4d0a48d0404c3ce
- SSDEEP
  
  3072:lO3IMonogaQNJDVAkAEftr/TE9qnUkG+k+g0C7Ed51OO0nf9z8f+srZrNg:9ogaQLVAEtbT9nUzf7+51/6S+GZh
Score

10^/10

gh0strat persistence rat bootkit
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Server Software Component: Terminal Services DLL
  persistence
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Server Software Component

Terminal Services DLL

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratbootkitpersistencerat

© 2018-2025

Terms | Privacy