gh0strat | ce3a9db1b6123956acf0ede920bb024bd91a6f6a174cf1473935f1b6b0e0b185

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe
Size

546KB
MD5

3e8574f66a35ae0b578c6576086cc3a3
SHA1

d8e4b9c01b299121e9f1e07bb4a11d213e2c0b72
SHA256

ce3a9db1b6123956acf0ede920bb024bd91a6f6a174cf1473935f1b6b0e0b185
SHA512

b7a363945cd9cde2e71f528a2031ff2ea18c1b913e4aa2ba26cb0023b46044a36b05438c6ac5f7cc2cffae88d2dc4aaa3637f655f3c94bc6c5c94004458c887f
SSDEEP

12288:wXXGxu5d+qPqQgXenGiqNeBcGyF3Z4mxxBSuCd6ZYyZOk:wXXnZPkI5wWAQmXBSuCdcROk

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012029-44.dat	family_gh0strat
behavioral1/memory/2428-53-0x0000000000400000-0x00000000004EE000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2876	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe
2876	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	Process not Found
472	Process not Found

C:\Users\Admin\AppData\Local\Temp\3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e8574f66a35ae0b578c6576086cc3a3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:2428

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\install.tmp

Filesize
84B

MD5
102bee0eff5104a35021408e15f58010

SHA1
79e6f1cc4a466a8a66b0169807e2807290506ac7

SHA256
5b1c58d085f557e322af9d011e3e1f04e0034de9dd92a0a99cf66ef850daff1a

SHA512
2211d63ff7b77df42ff183a76c06c3453fb9c9128a22d0e7dad2d72b0e46f0298757852aab0071eabc9e736fd43a19c5d7f733943e3e181254246bb9e9e13136

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
95KB

MD5
d540965c376044e0c1a358e703e9ea8f

SHA1
dc7c0dde91e53817799705a2568edd1477b2a799

SHA256
2b1de12452521fb16ad6e3d909347d4f8c408fc1f88b4128d6ca5064e3c43f90

SHA512
2b4995a700ac1ea0508f88a9f65a76a4ca12e81e1c47a435ff7e1d32e6357214b8f5c0aedc7af88445a752376a6a805df6bdd35a03bd3a5c56ff5b85e3f73449

Download Submit
memory/2428-20-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2428-18-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-38-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2428-37-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2428-36-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2428-35-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2428-34-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2428-33-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2428-32-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2428-31-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2428-30-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2428-29-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2428-28-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2428-27-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/2428-26-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2428-25-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2428-24-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2428-19-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-22-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2428-21-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2428-39-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2428-0-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2428-23-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2428-17-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-16-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-15-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-14-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-13-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-12-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/2428-11-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-10-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-9-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2428-8-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2428-7-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/2428-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2428-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2428-4-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2428-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2428-2-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2428-40-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2428-54-0x0000000001CA0000-0x0000000001CF4000-memory.dmp

Filesize
336KB

Download
memory/2428-53-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2428-1-0x0000000001CA0000-0x0000000001CF4000-memory.dmp

Filesize
336KB

Download