gh0strat | a81b17abad6f4d55fdd83bcd2a0b94fea3513c240b9fc82d4a6db325fcbad640

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 13:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
Size

224KB
MD5

307dd7e5136afdf736b43a74b81a413e
SHA1

155ebb644c0ac3b30865aa26b1ca883bce3b8a60
SHA256

a81b17abad6f4d55fdd83bcd2a0b94fea3513c240b9fc82d4a6db325fcbad640
SHA512

1ca1f2bcbe1d14a52bcafcdb01624cc5efad8be7b5998332f5def68b09ebd9771047007a370925b120438f0e7c4583fd3df8c18059c8697d700d507dcf6b30e5
SSDEEP

3072:rb8IM9D5woXXreupOnXY8/ZnLSpWKaIWHnDFoo97pzJ+nYkOCwynsVvRokCB/bnv:0IUWJlfQw+oJpzmfwssLJC5opH9DH3zc

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2792-89-0x0000000000400000-0x0000000000432000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	ki1259A.tmp
1636	inl2E62.tmp

Loads dropped DLL 5 IoCs

pid	Process
2144	cmd.exe
2004	cmd.exe
2004	cmd.exe
2212	MsiExec.exe
2212	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loader.dll	ki1259A.tmp
File created	C:\Program Files\Common Files\lanmao.dll	ki1259A.tmp

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\WINDOWS\vbcfg.ini	ki1259A.tmp
File created	C:\Windows\Installer\f772efc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f772efc.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSI3498.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3506.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeCreateTokenPrivilege	2608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2608	msiexec.exe
Token: SeLockMemoryPrivilege	2608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2608	msiexec.exe
Token: SeMachineAccountPrivilege	2608	msiexec.exe
Token: SeTcbPrivilege	2608	msiexec.exe
Token: SeSecurityPrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeLoadDriverPrivilege	2608	msiexec.exe
Token: SeSystemProfilePrivilege	2608	msiexec.exe
Token: SeSystemtimePrivilege	2608	msiexec.exe
Token: SeProfSingleProcessPrivilege	2608	msiexec.exe
Token: SeIncBasePriorityPrivilege	2608	msiexec.exe
Token: SeCreatePagefilePrivilege	2608	msiexec.exe
Token: SeCreatePermanentPrivilege	2608	msiexec.exe
Token: SeBackupPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeShutdownPrivilege	2608	msiexec.exe
Token: SeDebugPrivilege	2608	msiexec.exe
Token: SeAuditPrivilege	2608	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2608	msiexec.exe
Token: SeChangeNotifyPrivilege	2608	msiexec.exe
Token: SeRemoteShutdownPrivilege	2608	msiexec.exe
Token: SeUndockPrivilege	2608	msiexec.exe
Token: SeSyncAgentPrivilege	2608	msiexec.exe
Token: SeEnableDelegationPrivilege	2608	msiexec.exe
Token: SeManageVolumePrivilege	2608	msiexec.exe
Token: SeImpersonatePrivilege	2608	msiexec.exe
Token: SeCreateGlobalPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeIncBasePriorityPrivilege	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeIncBasePriorityPrivilege	1636	inl2E62.tmp

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2144	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2144	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2144	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2144	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2144 wrote to memory of 2792	2144	cmd.exe	32
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2608	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	33
PID 2696 wrote to memory of 2004	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	35
PID 2696 wrote to memory of 2004	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	35
PID 2696 wrote to memory of 2004	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	35
PID 2696 wrote to memory of 2004	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	35
PID 2696 wrote to memory of 2268	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2268	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2268	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2268	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2064	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	39
PID 2696 wrote to memory of 2064	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	39
PID 2696 wrote to memory of 2064	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	39
PID 2696 wrote to memory of 2064	2696	307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe	39
PID 2268 wrote to memory of 1228	2268	cmd.exe	41
PID 2268 wrote to memory of 1228	2268	cmd.exe	41
PID 2268 wrote to memory of 1228	2268	cmd.exe	41
PID 2268 wrote to memory of 1228	2268	cmd.exe	41
PID 2004 wrote to memory of 1636	2004	cmd.exe	42
PID 2004 wrote to memory of 1636	2004	cmd.exe	42
PID 2004 wrote to memory of 1636	2004	cmd.exe	42
PID 2004 wrote to memory of 1636	2004	cmd.exe	42
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 2616 wrote to memory of 2212	2616	msiexec.exe	43
PID 1636 wrote to memory of 2120	1636	inl2E62.tmp	45
PID 1636 wrote to memory of 2120	1636	inl2E62.tmp	45
PID 1636 wrote to memory of 2120	1636	inl2E62.tmp	45
PID 1636 wrote to memory of 2120	1636	inl2E62.tmp	45

C:\Users\Admin\AppData\Local\Temp\307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\307dd7e5136afdf736b43a74b81a413e_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\ki1259A.tmp
    C:\Users\Admin\AppData\Local\Temp\ki1259A.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2792
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ins2B17.tmp.msi" /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\inl2E62.tmp
    C:\Users\Admin\AppData\Local\Temp\inl2E62.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl2E62.tmp > nul
      4⤵
      PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\307DD7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D091CF277651AA29F5054681DCC285
  2⤵
  - Loads dropped DLL
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
a201fc4bd2d8e665a48bfb0dea197509

SHA1
37795d73ecb7c011843fd1a2b67095c1bb43b47a

SHA256
ee9e70c5f22a4b8fb3fbda1cf69a0f653daa1a376dd1c3a87513d301512db313

SHA512
63e14dad303bde06f0af1438598f08866e36b2e3f677b855f4a01ab4f7342dc5dd3535553def133c7e0b2f5c17dc198fdbf19814a021196d2dd775451b2882d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
45B

MD5
12b89af2d4812f655e67ac644f8a7b6a

SHA1
db53d6442fb5697d233dea8ccd9fbaa02b04d1ea

SHA256
f41cf22ba9171904a2423dc9374aa67a5f22c808978badbf1f312f49b76dbaa8

SHA512
4aaf796b208acb46eb7ba5deaa4328b63c7db1f185712248949a57a2e61d166ba38bae85245b066b3c02d007146dfabf01a213b7010949f7b5a04afe9c7f5f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
\Windows\Installer\MSI3498.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
memory/1636-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-18-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/2696-12-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2696-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2696-52-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2696-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2696-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2792-20-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2792-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2792-89-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download