gh0strat | e1f5f89077793c78b2cf47e9005eac43c57fb8c9633054c83a15063edcaf01d5

General

Target

4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe
Size

406KB
MD5

4ab89a72b156a32a2f2e920b1597028f
SHA1

73369b499b0b3a329a0ee61ba7e1bd2a9bbba167
SHA256

e1f5f89077793c78b2cf47e9005eac43c57fb8c9633054c83a15063edcaf01d5
SHA512

4cfd96282379442c37c1704eb47591429ed2039fef7456f33de3608996d043fc05e6d7122e215d2a40a4ad3163296001758e34050618667ce1423fadc8c1acd6
SSDEEP

6144:ocqtuJKCU6F2idZecnl20lHRxp3gHncduD7yB9VCO6Sco4q8+dE6CqIg:auJKCjF3Z4mxxQDqVTVOC/

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d39-45.dat	family_gh0strat
behavioral1/memory/1588-55-0x0000000000400000-0x000000000041E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	server1.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	server1.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	server1.exe

Loads dropped DLL 4 IoCs

pid	Process
480	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe
480	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe
1588	server1.exe
1660	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	server1.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	Process not Found
472	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 480 wrote to memory of 1588	480	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe	28
PID 480 wrote to memory of 1588	480	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe	28
PID 480 wrote to memory of 1588	480	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe	28
PID 480 wrote to memory of 1588	480	4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ab89a72b156a32a2f2e920b1597028f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server1.exe
  2⤵
  - Drops file in Drivers directory
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\install.tmp

Filesize
56B

MD5
8cdd1847b08155fc5a3ee084cd7209ea

SHA1
10c1970ccce553ee604abc7452cf22a0c47f8c61

SHA256
d4f4034b7024663eb06e00797c83d1bf66bfa94006df6acb0f3eff7119d7fc62

SHA512
99dbe5d893cb3cbe8038a1de993a99014724fa313c832c46a22e63bdee59de336675209417b42b479cb2e51af8d722530370848d8318bf079ec7f96444066b46

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server1.exe

Filesize
56KB

MD5
3e9facdfe21f0a509672ef9337bea95e

SHA1
a686475b7290434338d8f6297e0f70d459aac7b1

SHA256
097ac62b8fad0ef8e6ca08ac04e43c020e37f9dfe09068d87dd90b4aa6e2af68

SHA512
80c1435167d43b902458a3f9c9a71d6071b8d768df9d0eab1f7c9d34cdb17cb084e70d48542701e5d459b68f247e635a670a19aaf27636234cb5628f06d1a88c

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
95KB

MD5
96e1c1ef9896d67cc5a0773b0e4440d8

SHA1
b67225bb41f2d402fdf501b177571fc83e343ad8

SHA256
f147cb6896332a26b01c473ee0ed0fc264fa24a26eeca2daae6a8fd720af65c9

SHA512
485e8cfc807ecfae88116eb775c10eb740b8ad0529adeb9d391f4d54c5fba933dd87331c83db1ac57b3229469a8b791037d6fb9a555b15ad4a2f3b5528b2f616

Download Submit
memory/480-14-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-6-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/480-5-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/480-4-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/480-3-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/480-1-0x00000000003A0000-0x00000000003F4000-memory.dmp

Filesize
336KB

Download
memory/480-0-0x0000000001000000-0x0000000001089000-memory.dmp

Filesize
548KB

Download
memory/480-2-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/480-22-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-21-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-20-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-19-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-17-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-16-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-15-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-10-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/480-11-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-12-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-7-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/480-31-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-30-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-29-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-28-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-27-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-26-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-25-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-24-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-23-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/480-32-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/480-9-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/480-40-0x00000000030E0000-0x00000000030FE000-memory.dmp

Filesize
120KB

Download
memory/480-8-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/480-59-0x0000000001000000-0x0000000001089000-memory.dmp

Filesize
548KB

Download
memory/480-60-0x00000000003A0000-0x00000000003F4000-memory.dmp

Filesize
336KB

Download
memory/1588-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1588-41-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads