gh0strat | b2929fc99779079c4b7d288302802fbd95c755ba94e814003b4725efa6cb2f2a

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
Size

516KB
MD5

44da70d93e4832bcda8c41bab15f7981
SHA1

366dde236c920095a227b7b8b0c173c91419150c
SHA256

b2929fc99779079c4b7d288302802fbd95c755ba94e814003b4725efa6cb2f2a
SHA512

818c807c1f040d144011d9466dbc36afb086407ed5bef7baef9fb1e4e0dbbb045f06cc3369bfabe27930f4dabb46fb28954ceee134b6c316abd2b6743ceacdf8
SSDEEP

6144:J00geEaFb79FR1eTboMMnIroSe5Kvf8QLBBzAM+GuN8QpKPiTcVZQY:J00geEaF1L5tSeMlLbzL+jkP

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d6c-21.dat	family_gh0strat
behavioral1/memory/2648-29-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2080-30-0x0000000000400000-0x0000000000479000-memory.dmp	family_gh0strat
behavioral1/memory/2080-49-0x0000000000400000-0x0000000000479000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2300	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	qiuqi0.exe
2548	qiuqi0.exe

Loads dropped DLL 11 IoCs

pid	Process
2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
2648	qiuqi0.exe
2648	qiuqi0.exe
2648	qiuqi0.exe
2648	qiuqi0.exe
2648	qiuqi0.exe
2648	qiuqi0.exe
2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
2548	qiuqi0.exe
2548	qiuqi0.exe
2548	qiuqi0.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	qiuqi0.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\maoma0.dll	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqi0.dll	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqi0.exe	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\qiuqi0.exe	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqi0.bat	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qiuqi0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qiuqi0.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32	qiuqi0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	qiuqi0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}	qiuqi0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	qiuqi0.exe
2648	qiuqi0.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2648	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2548	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	31
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2548 wrote to memory of 3012	2548	qiuqi0.exe	32
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34
PID 2080 wrote to memory of 2300	2080	44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44da70d93e4832bcda8c41bab15f7981_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Common Files\qiuqi0.exe
  "C:\Program Files\Common Files\qiuqi0.exe" "C:\Program Files\Common Files\maoma0.dll" ServiceMain
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Documents and Settings\qiuqi0.exe
  "C:\Documents and Settings\qiuqi0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\DOCUME~1\qiuqi0.exe
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\44DA70~1.EXE
  2⤵
  - Deletes itself
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\maoma0.dll

Filesize
24.1MB

MD5
938107fb8aefa4214031de573087caf3

SHA1
c4ae09e21b0d6882dcb61e24995cbc335cf14ca3

SHA256
308a4802f32e7633e526bae4a9c94ab875fc151a8ef8ceb84efcc9b571ea6e31

SHA512
e9ebe9abeebd7e02722ba52f31fc9396352909b7505e09d18ad4993356e148b7b56f03e174f5538642c426c5c9703dcd13b0907465e3e00dc041d2e01e40e9ee

Download Submit
\Program Files\Common Files\qiuqi0.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\qiuqi0.exe

Filesize
24.0MB

MD5
9f7118bbf414232de5c5fcf8b8a0d620

SHA1
b2b866da0e4ec35c4c9bde3a8c20e68c872dbcd1

SHA256
bce17c949086c1d46309a9328e3be3f4410da04942d43742d9e03b8819c14ee5

SHA512
639a324c926a80ceeef5a6f2e19f8a12d853f8361b6f2ecdf4e067894107ae7fb5857d96992f9fb2aaf02dcff96f35bd3387a1abdb530ef6774e3d84289998a1

Download Submit
memory/2080-3-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/2080-2-0x0000000000870000-0x00000000008E9000-memory.dmp

Filesize
484KB

Download
memory/2080-6-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2080-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2080-4-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/2080-9-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2080-1-0x0000000000870000-0x00000000008E9000-memory.dmp

Filesize
484KB

Download
memory/2080-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2080-50-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/2080-49-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2080-37-0x0000000000930000-0x0000000000936000-memory.dmp

Filesize
24KB

Download
memory/2080-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2080-30-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2080-32-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/2548-38-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2548-45-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2548-43-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2548-42-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2548-46-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2648-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2648-28-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2648-29-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2648-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download