gh0strat | 699f9729b579aa7a0e178d6e8c7caa90ede3356c95d1de45d22d68564eb9080d

Analysis

max time kernel
149s
max time network
133s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 09:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
Size

293KB
MD5

454ae5dee5961ce4f38186f38375ebeb
SHA1

2e4afb2fb85112f9962ba6cdd345fc1bf31fa9d5
SHA256

699f9729b579aa7a0e178d6e8c7caa90ede3356c95d1de45d22d68564eb9080d
SHA512

a9817ac3b49209e7c8a2fd01418ef298d95aba6d3b56886adcc9522bd4bf58e4b00c6053e736941d084d104d4e19fb29ad801ce52b60c14dc97ab51114b5b27b
SSDEEP

6144:ok6KgejpAXPoBQfFMXZ9aBdYHEzoOMQne4ywoF4Q:Lgej8oiaXyBqHEzoOLe4ywoD

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d7b-41.dat	family_gh0strat
behavioral1/memory/2128-43-0x0000000000400000-0x000000000048B000-memory.dmp	family_gh0strat
behavioral1/memory/2788-44-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2128-65-0x0000000000400000-0x000000000048B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1444	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2292	msigponjw.exe
2788	fhmsigpon.exe
2204	hmsigponj.exe

Loads dropped DLL 16 IoCs

pid	Process
2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
2292	msigponjw.exe
2292	msigponjw.exe
2292	msigponjw.exe
2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
2788	fhmsigpon.exe
2788	fhmsigpon.exe
2788	fhmsigpon.exe
2788	fhmsigpon.exe
2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
2204	hmsigponj.exe
2204	hmsigponj.exe
2204	hmsigponj.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fhmsigpon.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loveuu.bat	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
File created	C:\Program Files\cm\msigponjw.exe	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
File created	C:\Program Files\cm\fhmsigpon.dll	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\qiuqiu.cpp	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqiu.cpp	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
File created	C:\Program Files\cm\hmsigponj.exe	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
File created	C:\Program Files\cm\fhmsigpon.exe	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2496	sc.exe
848	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fhmsigpon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	fhmsigpon.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32	hmsigponj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	hmsigponj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}	hmsigponj.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2788	fhmsigpon.exe
2788	fhmsigpon.exe
2788	fhmsigpon.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2292	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2292 wrote to memory of 2356	2292	msigponjw.exe	31
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2788	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	34
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 2496	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	35
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 848	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	36
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2128 wrote to memory of 2204	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	37
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2204 wrote to memory of 1500	2204	hmsigponj.exe	40
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41
PID 2128 wrote to memory of 1444	2128	454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\454ae5dee5961ce4f38186f38375ebeb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files\cm\msigponjw.exe
  "C:\Program Files\cm\msigponjw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Program Files\cm\msigponjw.exe
    3⤵
    PID:2356
- C:\Program Files\cm\fhmsigpon.exe
  "C:\Program Files\cm\fhmsigpon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:2496
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  PID:848
- C:\Program Files\cm\hmsigponj.exe
  "C:\Program Files\cm\hmsigponj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\PROGRA~1\cm\HMSIGP~1.EXE
    3⤵
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\454AE5~1.EXE
  2⤵
  - Deletes itself
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\cm\fhmsigpon.dll

Filesize
32.7MB

MD5
f5aeadb674e93c74a604f2e6efc5e16f

SHA1
b694bf9031d8825346095e61ca73bcef93678e32

SHA256
6860346e0155adc96eee3f110c4b871fabff8b98695a6a4056ee0576bc04f682

SHA512
b86dd43d473d5e3f1ff8d8f57adcf9f7bd08b2ce1dfda84ed827b3d1abec6af38a1a464023d1df7b3928dd414514dcdd00a5ffc438a8bb2b9ce8f7cffc3cd281

Download Submit
\Program Files\cm\fhmsigpon.exe

Filesize
8.3MB

MD5
c42ddc749f4428e58f8439d054048d9e

SHA1
83594bf31b18215df33d300cc1188c7355d95d16

SHA256
b82dc8e1c05be80108d96eb0e3f8ac9538fde64b0ec65879cc13211778575aed

SHA512
ebb2443f0f2124b21cffbe829d70dcf09bf264c3355dcd335f8be92c4b4b4e6cbf8c418efe25c1c672b813155722af7273132e73cb362e86b77fb8a89696cb78

Download Submit
\Program Files\cm\hmsigponj.exe

Filesize
8.3MB

MD5
96b95bc27d555d31ccf0cc4a2f51579e

SHA1
ed719b548b07e6c08fbeed54ab266097bb5a0869

SHA256
fd321d55c8bef1d268127f7354ab54d8b1502904a11a381798e67dc4afdbf6ef

SHA512
66e5f6879ccc90d08bd440bd8a344412df95314be4a55698a63e4c372ea3d5554a53bb389e90b2cd0bb83e7bbe1495e01b765702c050820c67bd1e7b047f447f

Download Submit
\Program Files\cm\msigponjw.exe

Filesize
8.3MB

MD5
8639cbc48371b17e88613830e37582ef

SHA1
81e6a125a40effbedacf2b4c9ac87c770476df96

SHA256
07c1641d8afcecbeaa99bfcf644690d9414ddeed158fee96a04230055999a370

SHA512
157a8569f64880f2e58ae50f628df438e270e34531e687aacc453704804359dae3c3fda60a4022f768a0eeffadf61220c02bd641aea7fb13d9a742a12fac56d1

Download Submit
memory/2128-5-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2128-17-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2128-7-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2128-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2128-47-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2128-1-0x0000000000240000-0x00000000002CB000-memory.dmp

Filesize
556KB

Download
memory/2128-18-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2128-3-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2128-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2128-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2128-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2128-2-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2128-43-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2128-66-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2204-64-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download
memory/2292-25-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2292-24-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2292-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2788-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2788-44-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download