gh0strat | e0f619da87637abd456d750cd68fc651e429cc352cc5e17fda6bd974a9452037

General

Target

34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
Size

287KB
MD5

34d3e39b77b23344dec3fae6e5fda55e
SHA1

e40e009adf48f31e1b8fd54e062d60370b8fabf1
SHA256

e0f619da87637abd456d750cd68fc651e429cc352cc5e17fda6bd974a9452037
SHA512

42aec53aa99c455ff0f13e1eb2d2fe32372ef07bf8742147f494542c7a56a30e53cdaa428ba2d2acd2d9e8d56f3e7f471a697e86f1905422309a374f859dc44a
SSDEEP

6144:IFw8wzBhaEUJ45mbS75gov65lvOrxRMiA4mhg6RHFl5GWdblky260BF6i5:IFszBhqS5mYCrvQRpA7hHeWd5c61i5

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234d1-18.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3432	uharc.exe
996	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234d0-6.dat	upx
behavioral2/memory/3432-10-0x0000000000400000-0x0000000000492000-memory.dmp	upx
behavioral2/memory/3432-17-0x0000000000400000-0x0000000000492000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	svchost.exe
File opened for modification	C:\WINDOWS\V2011.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	996	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe
996	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
996	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3432	2876	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	86
PID 2876 wrote to memory of 3432	2876	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	86
PID 2876 wrote to memory of 3432	2876	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	86
PID 2876 wrote to memory of 996	2876	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	88
PID 2876 wrote to memory of 996	2876	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	88
PID 2876 wrote to memory of 996	2876	34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34d3e39b77b23344dec3fae6e5fda55e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\uharc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\uharc.exe" e file.uha
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 620
    3⤵
    - Program crash
    PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 996 -ip 996
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\UHARC.exe

Filesize
108KB

MD5
50ce184e4cf489dac8b75a6023f67020

SHA1
7d407c0765e0cbfdd5e1e609f645f1673ec961d2

SHA256
e0baf423024a8cbc6d7ff66c8890f7b2835a801faa7244912c0181d6fe178388

SHA512
ae42fb065adceafa218c45862474d2e6d131a1f8620e9db2a8bd081b10a9059b9b5c5e6c9b104dead6e17d51d76c7dddb13d93248a0f617e181d5c469caf3e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.uha

Filesize
85KB

MD5
fefd32bde7c83138621c449a9546b40c

SHA1
b9761504c9789c611f0d33fed649a499ca6784c4

SHA256
77041569ebee2147fa0a3c4535e5ea3160ca0e2907a01e87cb56de61a1dd691b

SHA512
4ba7772b9f4f4160b6530ccfb763ede91428f0f1c3425d0ed4147cbc352a821d07e6af8b0b1b4c32c6dfb240069663e14b29c988004335ccf7f22cc783515250

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe

Filesize
220KB

MD5
97dcdc232dc27eda676ab34afc42457f

SHA1
02f83b445f61de7fd60b2d2c51b946e6af49489a

SHA256
ae641a22edd9c372ff83f4e26bc1e624b0b9b4136c98e92590b115da18b6a7bb

SHA512
8e47ddc30b81cc0d60f527bc87f6373fe61d376d4582ad5285338102c489932aba9f6dab468587199bf47bf5db5b60f9a194577423bbbe467bfb725828959c0a

Download Submit
memory/3432-10-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3432-17-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads