gh0strat | 6426d30c2ea733e1518219eba8c3d70ebc3d6e98106f513c56f6ade6b93eb03c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe
Size

188KB
MD5

3248fb9094e25aa840005b9c763e2b00
SHA1

cacb6cdb354d4f8f8ce6ecd84a249bd4e849d6bd
SHA256

6426d30c2ea733e1518219eba8c3d70ebc3d6e98106f513c56f6ade6b93eb03c
SHA512

fad7db4f0df830a0856e286b4c2421b8e641bbf31766c277d4f083bdade1c64060f700be25ff0a55e27f32e153ea0aabdb4f90d4f47225e2b4d0a48d0404c3ce
SSDEEP

3072:lO3IMonogaQNJDVAkAEftr/TE9qnUkG+k+g0C7Ed51OO0nf9z8f+srZrNg:9ogaQLVAEtbT9nUzf7+51/6S+GZh

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e798-3.dat	family_gh0strat
behavioral2/memory/4956-5-0x0000000010000000-0x0000000010027000-memory.dmp	family_gh0strat
behavioral2/memory/5512-6-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\padsw.ref"	3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4956	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4956	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\padsw.ref	3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5512	3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe
5512	3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	4956	svchost.exe
Token: SeSecurityPrivilege	4956	svchost.exe
Token: SeSecurityPrivilege	4956	svchost.exe
Token: SeBackupPrivilege	4956	svchost.exe
Token: SeSecurityPrivilege	4956	svchost.exe
Token: SeBackupPrivilege	4956	svchost.exe
Token: SeSecurityPrivilege	4956	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3248fb9094e25aa840005b9c763e2b00_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\padsw.ref

Filesize
148KB

MD5
669cd757dd288078f9ee043c7885d5fe

SHA1
00b3683f9bdab2ff9a35570b7eeabb4bcb87a091

SHA256
e20f592385775276765f4c8ca9d2cb09d327bd43a7999f395a1e8934c38a98da

SHA512
64c3b88b9a8bf3bec0fba89ebb80d2f864ca6a7cc18a8ab3786d7727f0f90030d91bea2d1f2e3cf88bce2826c6597d254d21a37de97f468d3920259984d475d8

Download Submit
memory/4956-5-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/5512-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5512-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download