gh0strat | 1b4dedf68df2f9dbc11d379e13d9171e83ccfe4aa87307749e7e75837f5a171f

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 14:57

Target

353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
Size

5.0MB
MD5

353460cba8112c89e5f12205bccb7291
SHA1

240863a0f4daa9b7b9dbdbd55329694cd7c0f6d9
SHA256

1b4dedf68df2f9dbc11d379e13d9171e83ccfe4aa87307749e7e75837f5a171f
SHA512

a6ac12c03396e264e60fa4e5f7a00f132a9bd3465b21410692bbc5efa2ca334b3717c165ffc9c9b20a2e40c4755f7689c7ddcb12c02365d9a4db39f382f20446
SSDEEP

6144:Ex3hy2HYbRmb0EKmfC7Rfb4h00Lfb4h00q44g:Ex3hyYmmK9fsLfsmg

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233ff-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
4232	RUNDLL32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\temp0\QQ.exe	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
File created	\??\c:\Program Files\WINDOWSS.INI	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
File created	C:\Program Files\temp0\QQ.exe	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4232	3348	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	84
PID 3348 wrote to memory of 4232	3348	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	84
PID 3348 wrote to memory of 4232	3348	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	84
PID 3348 wrote to memory of 2240	3348	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	88
PID 3348 wrote to memory of 2240	3348	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	88
PID 3348 wrote to memory of 2240	3348	353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
  2⤵
  - Loads dropped DLL
  PID:4232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:2240

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
0de9cd045b4643ff552c48920422e07f

SHA1
a8a4befa17cbdd72d057e6a72e0182cc1d4b2650

SHA256
d4f6f97070eebe1c2ec0c8cf952479335505d40b5c0183cb70c1783bd2821417

SHA512
434c2572c0acc0d0c7d167ab2f41b49656a5c557f299cad618e63f1b58d79ccb36bba77410d7c1f6c74a5999a284ef7564308c830b96856b73fd6e9f7cc39077

Download Submit
\??\c:\Program Files\WINDOWSS.INI

Filesize
10.3MB

MD5
32dec844be4dce622e19fb43a014e195

SHA1
ec926c47bd465f3edea28b45b379ef73161c429f

SHA256
443ddd881e639eae1847faec3191674a1e96b9f75ccd44ad073f6526acccd19c

SHA512
22678ad31fd91522f961183c8b7fe3d0315d99584086bb4d59e006badb5c74ec2a5007330b6474c4e2fb670952befd7c6a3222d29ed0d7f9129a5d87e48ba11c

Download Submit