gh0strat | e0f619da87637abd456d750cd68fc651e429cc352cc5e17fda6bd974a9452037

General

Target

34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
Size

287KB
MD5

34d3e39b77b23344dec3fae6e5fda55e
SHA1

e40e009adf48f31e1b8fd54e062d60370b8fabf1
SHA256

e0f619da87637abd456d750cd68fc651e429cc352cc5e17fda6bd974a9452037
SHA512

42aec53aa99c455ff0f13e1eb2d2fe32372ef07bf8742147f494542c7a56a30e53cdaa428ba2d2acd2d9e8d56f3e7f471a697e86f1905422309a374f859dc44a
SSDEEP

6144:IFw8wzBhaEUJ45mbS75gov65lvOrxRMiA4mhg6RHFl5GWdblky260BF6i5:IFszBhqS5mYCrvQRpA7hHeWd5c61i5

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016b85-20.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
456	uharc.exe
2828	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016688-5.dat	upx
behavioral1/memory/456-14-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral1/memory/456-19-0x0000000000400000-0x0000000000492000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	svchost.exe
File opened for modification	C:\WINDOWS\V2011.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2828	2368	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\uharc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\uharc.exe" e file.uha
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.uha

Filesize
85KB

MD5
fefd32bde7c83138621c449a9546b40c

SHA1
b9761504c9789c611f0d33fed649a499ca6784c4

SHA256
77041569ebee2147fa0a3c4535e5ea3160ca0e2907a01e87cb56de61a1dd691b

SHA512
4ba7772b9f4f4160b6530ccfb763ede91428f0f1c3425d0ed4147cbc352a821d07e6af8b0b1b4c32c6dfb240069663e14b29c988004335ccf7f22cc783515250

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe

Filesize
220KB

MD5
97dcdc232dc27eda676ab34afc42457f

SHA1
02f83b445f61de7fd60b2d2c51b946e6af49489a

SHA256
ae641a22edd9c372ff83f4e26bc1e624b0b9b4136c98e92590b115da18b6a7bb

SHA512
8e47ddc30b81cc0d60f527bc87f6373fe61d376d4582ad5285338102c489932aba9f6dab468587199bf47bf5db5b60f9a194577423bbbe467bfb725828959c0a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UHARC.exe

Filesize
108KB

MD5
50ce184e4cf489dac8b75a6023f67020

SHA1
7d407c0765e0cbfdd5e1e609f645f1673ec961d2

SHA256
e0baf423024a8cbc6d7ff66c8890f7b2835a801faa7244912c0181d6fe178388

SHA512
ae42fb065adceafa218c45862474d2e6d131a1f8620e9db2a8bd081b10a9059b9b5c5e6c9b104dead6e17d51d76c7dddb13d93248a0f617e181d5c469caf3e3f

Download Submit
memory/456-14-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/456-19-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2368-12-0x0000000003410000-0x00000000034A2000-memory.dmp

Filesize
584KB

Download
memory/2368-13-0x0000000003410000-0x00000000034A2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads