gh0strat | a4f07814e923a75a96b0149fcd909e78d5f379b87a83b28c1247f711d896307a

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 15:08

Target

30df05a1a6dbce972af9c0a664545e20_JaffaCakes118.dll
Size

95KB
MD5

30df05a1a6dbce972af9c0a664545e20
SHA1

5f89094a73560e8f9b71e77bf749899024ed15c2
SHA256

a4f07814e923a75a96b0149fcd909e78d5f379b87a83b28c1247f711d896307a
SHA512

3f709b4db3010347dbae26d23a20d77da647710d74b0a069dc8819aec61c6c2ae2d7ef224f35c89f1d5974b091a61e7aa438192491d9bc3ce60eb271bb8e3b92
SSDEEP

1536:Pg6NFO+cZcdxuMk7sigzyBFwQPulcf/afsuCSxzPBV9S1HDav:o6NFHHdxqstzyBSQPul0/csuCkrBV9S8

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2364-3-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral1/memory/2364-2-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral1/memory/2364-1-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral1/memory/2364-0-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30
PID 1140 wrote to memory of 2364	1140	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30df05a1a6dbce972af9c0a664545e20_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\30df05a1a6dbce972af9c0a664545e20_JaffaCakes118.dll,#1
  2⤵
  PID:2364

memory/2364-3-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2364-2-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2364-1-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2364-0-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download