gh0strat | 8c16c6cd04663523b6d16f0a4030a5ff1b69868fd5e5c3b8db042e39bad99971

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485a0b6cef37d769d3be886062a3ee77_JaffaCakes118.exe
Size

188KB
MD5

485a0b6cef37d769d3be886062a3ee77
SHA1

468f8c71ed6994efa0fd48a561a9a6375e697f94
SHA256

8c16c6cd04663523b6d16f0a4030a5ff1b69868fd5e5c3b8db042e39bad99971
SHA512

4d31d1873c652274fd249ef17cca90ccf5593274df3c4b9010975a6cc723053b39e10c3ce01d53fcd2f957b0cefcecae0d87cc334357620ff01725fde3526588
SSDEEP

3072:2uyqAtRb09rDM5hITqEIQbyxDxttRD4xCbGcJpHjDgcDIP:2uyqArb05DMMTqPhfb3JjDv

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002343f-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2708	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2708	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rhlvorywxo	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\APPLIC~1\Storm\update\ylqfv.lib	485a0b6cef37d769d3be886062a3ee77_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	2596	485a0b6cef37d769d3be886062a3ee77_JaffaCakes118.exe
Token: SeRestorePrivilege	2596	485a0b6cef37d769d3be886062a3ee77_JaffaCakes118.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe

C:\Users\Admin\AppData\Local\Temp\485a0b6cef37d769d3be886062a3ee77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\485a0b6cef37d769d3be886062a3ee77_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\progra~3\applic~1\storm\update\ylqfv.lib

Filesize
896KB

MD5
062885d3a4beb8a836d1cc790d272ec1

SHA1
238649cc013a5efa39a0454addb6b456404bee83

SHA256
887e03d5aba0367fcb96add06c93338c97ee443f74ed6d74e64998086f34a16d

SHA512
f3103a98639010098c6e3aeb6e6bea1ffd65b32221869c2862eb9792c63d824bb639b520c46de326e2ca6b3b6777f566eaf3578259f03e5e17d91a32395a850e

Download Submit