gh0strat | 49d93e4b21fe4e5f552b08cc722d93fb1ca1f2e3b9c6834ee412424026d94a87

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Size

153KB
MD5

2f22043d6b0d52119ecdf1f845767d7a
SHA1

86ac460ac78b4adffea5d46fba40091f16825418
SHA256

49d93e4b21fe4e5f552b08cc722d93fb1ca1f2e3b9c6834ee412424026d94a87
SHA512

ede5ec5c21fb1cf1d19b529d9edf39773e28cf517b6e74782750ed17f625718489a3797b0f4722ea86d0b40ed76aafe36931102405f669662fc741a26060489d
SSDEEP

3072:L0I5+JNTKhn6s5Yv4BAalyeMV4PMAkZz3JQf1CkNE66hc5Jeqovhe:QJJNCev4BLyeq5z5fkuXcJeqoQ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2788-2-0x0000000000400000-0x0000000000427498-memory.dmp	family_gh0strat
behavioral1/memory/2788-4-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/files/0x000c000000016c4a-7.dat	family_gh0strat
behavioral1/memory/2788-11-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/2788-12-0x0000000000400000-0x0000000000427498-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000120f9-15.dat	family_gh0strat
behavioral1/memory/2420-16-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2420	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeBackupPrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeBackupPrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeBackupPrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	2788	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1862400.dll

Filesize
122KB

MD5
507a5229363d13c8f4f6361cf4d135fe

SHA1
6bd05a3d4dc024e2d61bb82c2368b0360d1e6565

SHA256
692a09cc6008cb51cb43831227bdaea7c4b4ab67f9dbbad5a6325f0edb780e3b

SHA512
da63e5919c0e7561854aaf4c4791e8fbdebd439e6e09aee5237d8d8bed248579b66c957d06839ebdead6efee48c2d4a40845e9b09acdc20381c7bd4cd7035658

Download Submit
C:\Program Files (x86)\Oklm\Tklmnopqr.jpg

Filesize
12.7MB

MD5
0a56c2cc38ee6d37fc16e8e181bd2df1

SHA1
cca3f116cee7e6a677a2ce53993c1381271d7345

SHA256
b7279b1206fe6e0fcae219c28686401e9266b48cd4e8d3575b2b270eba37e303

SHA512
b4b15b4356c0e0607d6d863e78986b35dbe475b0ed38f21283017b15c93ca18fac8f6c9440eab000550a9d53e079a7c3815ecc3812c69068f09adbf79c38a6a6

Download Submit
\??\c:\NT_Path.jpg

Filesize
99B

MD5
889e59c52763a0a5b2fbe9b38c22660e

SHA1
ebd1a66c49bda8466742c82407af352a8cf3c4c0

SHA256
7fbe639382d7ecc1ef5d9a48354a6036639f14b5af12d4376e975b8f3150bc80

SHA512
bdee2a7d564160e6291c8b8bddb7618fde9e9feaaf644345afb5b854ef366083bc11e51534e62f57c5cd552329f5345cb31b962dc5da91fc82eb23ac488f2311

Download Submit
memory/2420-16-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2788-2-0x0000000000400000-0x0000000000427498-memory.dmp

Filesize
157KB

Download
memory/2788-4-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2788-11-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2788-12-0x0000000000400000-0x0000000000427498-memory.dmp

Filesize
157KB

Download