gh0strat | 1b4dedf68df2f9dbc11d379e13d9171e83ccfe4aa87307749e7e75837f5a171f

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 14:57

Target

353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
Size

5.0MB
MD5

353460cba8112c89e5f12205bccb7291
SHA1

240863a0f4daa9b7b9dbdbd55329694cd7c0f6d9
SHA256

1b4dedf68df2f9dbc11d379e13d9171e83ccfe4aa87307749e7e75837f5a171f
SHA512

a6ac12c03396e264e60fa4e5f7a00f132a9bd3465b21410692bbc5efa2ca334b3717c165ffc9c9b20a2e40c4755f7689c7ddcb12c02365d9a4db39f382f20446
SSDEEP

6144:Ex3hy2HYbRmb0EKmfC7Rfb4h00Lfb4h00q44g:Ex3hyYmmK9fsLfsmg

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000139f6-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	RUNDLL32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\temp0\QQ.exe	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
File created	\??\c:\Program Files\WINDOWSS.INI	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
File created	C:\Program Files\temp0\QQ.exe	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2208	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2768	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2768	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2768	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2768	2324	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
  2⤵
  - Loads dropped DLL
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c afc9fe2f418b00a0.bat
  2⤵
  - Deletes itself
  PID:2768

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
0de9cd045b4643ff552c48920422e07f

SHA1
a8a4befa17cbdd72d057e6a72e0182cc1d4b2650

SHA256
d4f6f97070eebe1c2ec0c8cf952479335505d40b5c0183cb70c1783bd2821417

SHA512
434c2572c0acc0d0c7d167ab2f41b49656a5c557f299cad618e63f1b58d79ccb36bba77410d7c1f6c74a5999a284ef7564308c830b96856b73fd6e9f7cc39077

Download Submit
\??\c:\Program Files\WINDOWSS.INI

Filesize
10.3MB

MD5
4bb1e15c1105d842397f3cfc460ad734

SHA1
abee0eb1928b9fbc7cba8321a3db0f909b52f68a

SHA256
75715077634803e7da1cb89febfb179cd60cbf9f5f201dba284bbfd82101b2c4

SHA512
690f9dfdd6fb40504e49c405d50ebdb38531f1543ddd51433c161e7a6b4489e5118d2f78daecd8026a26f16d674a105a9fa1d1b2cb1051833650c4d0a4e10823

Download Submit