gh0strat | a5edb9b16066ce23ee708edb76a496ebe32d20638c3c7131893209fb615e9f06

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe
Size

206KB
MD5

3784650d6e2ee105f1b3d2ae90052e0a
SHA1

ce3f6b0056fca8b259eb118403153b7e3517c859
SHA256

a5edb9b16066ce23ee708edb76a496ebe32d20638c3c7131893209fb615e9f06
SHA512

180166b7ff303931a79f89432eb4586643bfcebcc6737c62f0152be2dd4f721aeebd31f5d590ecca026ba742b34e95c09a33b34cfd80f48d8b938eb9cc063ec5
SSDEEP

6144:lsIt6nWEQgBTyPRqyhYPbOcTBlhHrNndnkv0y:69WEQJq8YPbOcT3Ul

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/3956-0-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral2/files/0x000800000002325a-4.dat	family_gh0strat
behavioral2/memory/3956-8-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral2/memory/4788-7-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral2/memory/4788-9-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral2/files/0x0008000000023479-12.dat	family_gh0strat
behavioral2/memory/4788-14-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral2/memory/2588-17-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4824-22-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1616-27-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
4788	cxvirengsv

Executes dropped EXE 1 IoCs

pid	Process
4788	cxvirengsv

Loads dropped DLL 3 IoCs

pid	Process
2588	svchost.exe
4824	svchost.exe
1616	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pfjdtmuwjm	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pnxwbpwtvi	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pnxwbpwtvi	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\pvlpjsarjd	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1128	2588	WerFault.exe	86
2344	4824	WerFault.exe	90
3304	1616	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4788	cxvirengsv
4788	cxvirengsv

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	4788	cxvirengsv
Token: SeBackupPrivilege	4788	cxvirengsv
Token: SeBackupPrivilege	4788	cxvirengsv
Token: SeRestorePrivilege	4788	cxvirengsv
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeRestorePrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeSecurityPrivilege	2588	svchost.exe
Token: SeBackupPrivilege	2588	svchost.exe
Token: SeRestorePrivilege	2588	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeRestorePrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeSecurityPrivilege	4824	svchost.exe
Token: SeSecurityPrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeSecurityPrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeSecurityPrivilege	4824	svchost.exe
Token: SeBackupPrivilege	4824	svchost.exe
Token: SeRestorePrivilege	4824	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeRestorePrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeSecurityPrivilege	1616	svchost.exe
Token: SeBackupPrivilege	1616	svchost.exe
Token: SeRestorePrivilege	1616	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4788	3956	3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe	85
PID 3956 wrote to memory of 4788	3956	3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe	85
PID 3956 wrote to memory of 4788	3956	3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- \??\c:\users\admin\appdata\local\cxvirengsv
  "C:\Users\Admin\AppData\Local\Temp\3784650d6e2ee105f1b3d2ae90052e0a_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\3784650d6e2ee105f1b3d2ae90052e0a_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1084
  2⤵
  - Program crash
  PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2588 -ip 2588
1⤵
PID:368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1104
  2⤵
  - Program crash
  PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4824 -ip 4824
1⤵
PID:3928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1100
  2⤵
  - Program crash
  PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1616 -ip 1616
1⤵
PID:5020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cxvirengsv

Filesize
19.2MB

MD5
c4922d997936c9bbf9c70c543343db7d

SHA1
549fe0aa22cdcb17660fdb0768802e4c00e76984

SHA256
7488a1cb7e71c5939cd84cffa92e6a31edcbc8ae4ed6d96c35bcdde181113ce3

SHA512
0de11197113886db9c1578390e4ec71366f099e6e2824f5f750edceb15b73ec139d322873f4322e35bb053ad3a82196b7e1cbfea3e97f250e973431c0106b493

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
201B

MD5
7613912ddaebdba625aed83d2e0d0fdf

SHA1
c3bbcfaa409d01b2f6cf5085c7ef045eb8dfb4b8

SHA256
8d7ed7e4bc2dd626abceb98dfabdfc516ba5abbfde049521a6f839ce32540aa3

SHA512
d04d4800334a9db96dbaf6b1f042af48c433bda96673fecf4daa753b78a3bf9cd2cc0aec74c89cce685be8a9bfdf85e4558b04753f09cc748182d40b04dda798

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
302B

MD5
df9951c239fff115b993c0109e41457e

SHA1
551ee528f6cce5bb6609e2dc5b737b03a45c3723

SHA256
1fa94e5b56423185bbedc1b7ffd35addcc19017173978de7c01a1520d132ee1d

SHA512
496ed4fd25c77223ea2f4eeb7796720f853a0522f249eb11962829ac3cc3ebdd622270857a980ae148f7b06f894c5b15e2853bbf732af0048383aa917cb3eee5

Download Submit
\??\c:\programdata\drm\%sessionname%\tjioe.cc3

Filesize
23.0MB

MD5
197cdd5344abf7fa3e172febadd87a59

SHA1
ba273daf677ef9afe8a1abd73ff30fc6d8614951

SHA256
b28bc2b10320152a3eed889f7463a72f2e22179a89f91683e3196e419b251728

SHA512
077f35e24f83ee2fb8155ae5cb29bdec9142a952bf9365b7b0fcc286c5736082f0daf9d5939516ba309ba0170c534847663ef62ede365efdc43a543f0b4984f6

Download Submit
memory/1616-27-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1616-24-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2588-15-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/2588-17-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3956-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3956-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-22-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4824-19-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download