gh0strat | 3798aa4390f2bb172d0e30851bddc3c4a5885f3bfcffe1f4486b49bd46d966d8

Analysis

max time kernel
26s
max time network
34s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 07:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
Size

150KB
MD5

3c8168e216232d0f540bf5e6339be6c5
SHA1

f41598182b4247eca62d912c3e8c6a6620ca7206
SHA256

3798aa4390f2bb172d0e30851bddc3c4a5885f3bfcffe1f4486b49bd46d966d8
SHA512

5c9945b0e56590539f8518f5e083e9666cdd8155ced2f556bc52553ff7fcc25ef2c83b4e0696c36aaf6d37b7b176c1319f263da5fce5fd3582af49a5a9fc9b29
SSDEEP

3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZl:dkt0TSZkhWVvI+UupZTr5iSVrLmcE

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2284-19-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2284	ind4412.tmp
1616	inl802A.tmp

Loads dropped DLL 3 IoCs

pid	Process
2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
1336	cmd.exe
1336	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loader.dll	ind4412.tmp
File created	C:\Program Files\Common Files\lanmao.dll	ind4412.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f78822b.msi	msiexec.exe
File created	C:\Windows\Installer\f788230.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\f78822e.ipi	msiexec.exe
File created	C:\WINDOWS\vbcfg.ini	ind4412.tmp
File opened for modification	C:\Windows\Installer\f78822b.msi	msiexec.exe
File created	C:\Windows\Installer\f78822e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8611.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
2732	msiexec.exe
2732	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2636	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeCreateTokenPrivilege	2636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2636	msiexec.exe
Token: SeLockMemoryPrivilege	2636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2636	msiexec.exe
Token: SeMachineAccountPrivilege	2636	msiexec.exe
Token: SeTcbPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeLoadDriverPrivilege	2636	msiexec.exe
Token: SeSystemProfilePrivilege	2636	msiexec.exe
Token: SeSystemtimePrivilege	2636	msiexec.exe
Token: SeProfSingleProcessPrivilege	2636	msiexec.exe
Token: SeIncBasePriorityPrivilege	2636	msiexec.exe
Token: SeCreatePagefilePrivilege	2636	msiexec.exe
Token: SeCreatePermanentPrivilege	2636	msiexec.exe
Token: SeBackupPrivilege	2636	msiexec.exe
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeShutdownPrivilege	2636	msiexec.exe
Token: SeDebugPrivilege	2636	msiexec.exe
Token: SeAuditPrivilege	2636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2636	msiexec.exe
Token: SeChangeNotifyPrivilege	2636	msiexec.exe
Token: SeRemoteShutdownPrivilege	2636	msiexec.exe
Token: SeUndockPrivilege	2636	msiexec.exe
Token: SeSyncAgentPrivilege	2636	msiexec.exe
Token: SeEnableDelegationPrivilege	2636	msiexec.exe
Token: SeManageVolumePrivilege	2636	msiexec.exe
Token: SeImpersonatePrivilege	2636	msiexec.exe
Token: SeCreateGlobalPrivilege	2636	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2284	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2636	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	29
PID 2240 wrote to memory of 1336	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	31
PID 2240 wrote to memory of 1336	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	31
PID 2240 wrote to memory of 1336	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	31
PID 2240 wrote to memory of 1336	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2768	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2768	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2768	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2768	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	33
PID 2240 wrote to memory of 2640	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	35
PID 2240 wrote to memory of 2640	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	35
PID 2240 wrote to memory of 2640	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	35
PID 2240 wrote to memory of 2640	2240	3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe	35
PID 2768 wrote to memory of 2508	2768	cmd.exe	37
PID 2768 wrote to memory of 2508	2768	cmd.exe	37
PID 2768 wrote to memory of 2508	2768	cmd.exe	37
PID 2768 wrote to memory of 2508	2768	cmd.exe	37
PID 1336 wrote to memory of 1616	1336	cmd.exe	38
PID 1336 wrote to memory of 1616	1336	cmd.exe	38
PID 1336 wrote to memory of 1616	1336	cmd.exe	38
PID 1336 wrote to memory of 1616	1336	cmd.exe	38
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 2732 wrote to memory of 2820	2732	msiexec.exe	39
PID 1616 wrote to memory of 1632	1616	inl802A.tmp	41
PID 1616 wrote to memory of 1632	1616	inl802A.tmp	41
PID 1616 wrote to memory of 1632	1616	inl802A.tmp	41
PID 1616 wrote to memory of 1632	1616	inl802A.tmp	41

C:\Users\Admin\AppData\Local\Temp\3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c8168e216232d0f540bf5e6339be6c5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\ind4412.tmp
  C:\Users\Admin\AppData\Local\Temp\ind4412.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2284
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS7C1~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\inl802A.tmp
    C:\Users\Admin\AppData\Local\Temp\inl802A.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl802A.tmp > nul
      4⤵
      PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3C8168~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA159E181B1712456CF225FA78CBB5C
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f78822f.rbs

Filesize
7KB

MD5
69e982a5ea89d4f9b3896c56f3b53b36

SHA1
c128889e352a78593abd34cd8928d3bf08184d5b

SHA256
7bfb39501a334d4962777e307a395595ad40d9b9cdaa8b06e87ac31bb9566a76

SHA512
54def1743b0a1817944be18375ef9eac5015f8dedba0f2369cdb206bd456b532612d7038b0a07a159bc266ae8b5ceb8536fab2109280024434a9de0e8aa6b873

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS7C1~1.INI

Filesize
66KB

MD5
7688bba71012e1a418599052ed97c1b3

SHA1
a1ebc578227e1feb586585b832d70ce6e2d83a3e

SHA256
fd8c6ca059680d1d238928c43015997b3d7bd7cab439b2dbd8eb0cd87ee5c7fd

SHA512
7d772e22d9fe27de4bf8fa700fb6785eed8a863a472cd858630d7292a970ee053e5a17f3f804ba5140d2875fabe9bbf22c5ce498f27ad2093c74445cb771ff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
0283678210c80bbd28d5fd4fd34c1c5e

SHA1
19c586516b157f916bac043bdf52eb1567c63b65

SHA256
e26956aed1af4508011e51e0c9cd74c46f6e93a5e6527aab6003ee91e26695e7

SHA512
3da2ea8772c9ce073de51001769b0e575b59ab1a25f7d12e4c68f31653d62fd66cfd8e84409e155a89993227543d342253b986fd1d2b3c7f50428256ec900d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1616-95-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2240-48-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/2240-21-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/2240-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-2-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2240-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-8-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/2240-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2284-13-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2284-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download