gh0strat | 6368bf11e2f8ab14bccd64a0113597bdde56e1ca8f6536245406a3a161d5b918

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e59c4d71f8033589f0be91f9e5757bb_JaffaCakes118.exe
Size

100KB
MD5

2e59c4d71f8033589f0be91f9e5757bb
SHA1

488f21ba7a158c1b6262b3f71be51ccee86dbe7e
SHA256

6368bf11e2f8ab14bccd64a0113597bdde56e1ca8f6536245406a3a161d5b918
SHA512

a7abbeecbc4c9e7ddda59ca5f57cb7f279399f5a838afa81bf0ca75d74bd9f332220feb2507baecb331d8e50654a068bc0ae5b305590acbad27b949917abaf16
SSDEEP

3072:A096cn8VQpSTlnqcWCeVRPVc5WLJPkE44K:d96cn8+pShnsFRNW2JPkEq

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120f9-4.dat	family_gh0strat
behavioral1/memory/2128-5-0x0000000015000000-0x000000001501B000-memory.dmp	family_gh0strat
behavioral1/memory/2128-10-0x0000000015000000-0x000000001501B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\WINDOWS\\woFastUserSwitchingCompatibilitykao.dll"	2e59c4d71f8033589f0be91f9e5757bb_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2128	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\woFastUserSwitchingCompatibilitykao.dll	2e59c4d71f8033589f0be91f9e5757bb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
348	2e59c4d71f8033589f0be91f9e5757bb_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2e59c4d71f8033589f0be91f9e5757bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e59c4d71f8033589f0be91f9e5757bb_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\wofastuserswitchingcompatibilitykao.dll

Filesize
89KB

MD5
18b8e18fb0702f6aa4ed66514ae2dcbd

SHA1
c923cd1b5a7a97f73b7bf8165d0650200fb62aa2

SHA256
5297771f7595eb20974433f85dd65d618f692c0771f190cd590cacb09aa2d5f9

SHA512
105ee34486938e7adbf68e64360dae32c1f541f8b28150890063150055258fde1328621533dec919b6190bcea11c381f1ff1a92a8f6b61ac80dda9f48a7904cb

Download Submit
memory/348-0-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x0000000015000000-0x000000001501B000-memory.dmp

Filesize
108KB

Download
memory/2128-10-0x0000000015000000-0x000000001501B000-memory.dmp

Filesize
108KB

Download