gh0strat | 43f11071c4daab524a15b25ba76ba88acc1c9c110adb68297035e0e5cc131304

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe
Size

92KB
MD5

42b183d4f5000dda34f64ac3a86b5b1f
SHA1

9ee78a188546dae9fbc3a232450d46fce61666e8
SHA256

43f11071c4daab524a15b25ba76ba88acc1c9c110adb68297035e0e5cc131304
SHA512

44af7c2d4d1cfb5a09aa7a1b6bed952b5b733ecfe2cf3427252d0c12ea45a925049fad53c075ad9020520bb09c8fb169d74be96232669e14eace1e96709ea5da
SSDEEP

1536:qnsRgcbyf+I8b7oGVaeI6eKBaDRWlsD3w7ggthpJ4+KhZGHAqS/+:qsRgAE+I8bdVasBiEGEEkhpEh0gqS/+

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012115-10.dat	family_gh0strat
behavioral1/memory/2208-11-0x0000000000140000-0x000000000015D000-memory.dmp	family_gh0strat
behavioral1/memory/2952-16-0x0000000000160000-0x000000000017D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\Iprlp.dll"	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2208	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2208	rundll32.exe
2208	rundll32.exe
2208	rundll32.exe
2208	rundll32.exe
2952	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kb220708.dat	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Iprlp.dll	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2952	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2208	2252	42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe	30
PID 2952 wrote to memory of 1192	2952	svchost.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\Iprlp.dll", Install C:\Users\Admin\AppData\Local\Temp\42b183d4f5000dda34f64ac3a86b5b1f_JaffaCakes118.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Deletes itself
    - Loads dropped DLL
    PID:2208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iprlp.dll

Filesize
20KB

MD5
28fec6969970867778e1f24442fcc5ca

SHA1
82a468f977738a71aeab05b14dde92d64569d20a

SHA256
e049f698b9bead2a137d6b156c8964e073c0a966e3d0069e1c08087d832a3d67

SHA512
de80b0ef92d876cc557a61af2988a613ad953fe22238be50290575068b770378a0edc9f1201e01cb048cb420049507c19356760c0fc5a214b48f87efaaa18bc3

Download Submit
C:\Windows\SysWOW64\kb220708.dat

Filesize
98KB

MD5
80e2313f0e5ce7e50154c52475f21a0e

SHA1
c102327ca4b631dd3fec0cce1fd766875beb2307

SHA256
3a018bfb7a06fece609b59bf408dcdfdcc7a0f1c759980726d3f0d7b07d86d5d

SHA512
fccef449731932ccc65fb22df8b488f7d7c562becd618153e02ec54f61dc2fbe4a0ae62a810b7988a6478f43abfa4afdd75ebb3f83938b218619fccb4992ce12

Download Submit
memory/1192-21-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2208-11-0x0000000000140000-0x000000000015D000-memory.dmp

Filesize
116KB

Download
memory/2952-16-0x0000000000160000-0x000000000017D000-memory.dmp

Filesize
116KB

Download