gh0strat | dd94a0e76e5de1ed7e055ef87507d3a2e00d3177dd2e450c4afc1e7d3eca6e84

General

Target

4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
Size

240KB
MD5

4d257e507fea62c60ec257db15f91e59
SHA1

bd4b17e49433c06be4e65d43174c45c8f3c14da3
SHA256

dd94a0e76e5de1ed7e055ef87507d3a2e00d3177dd2e450c4afc1e7d3eca6e84
SHA512

3ff13e664a5830d65cf5da1a7fdbe5442b216481d53877070688b8ec4bb8667c1651106e7ac7f13119f8276e7ec52748e984e2f83cd94b211fb7f481fd22e7f5
SSDEEP

6144:wQqu0cHNfrmD7JE/rn3BRTC9K2FyC8Zu:HVfrm3K/LBpjODQ

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120ff-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2080	2011528135322.exe
2176	svchost.exe

Loads dropped DLL 10 IoCs

pid	Process
1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
2080	2011528135322.exe
2080	2011528135322.exe
2080	2011528135322.exe
2080	2011528135322.exe
2080	2011528135322.exe
2176	svchost.exe
2176	svchost.exe
2176	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	svchost.exe
File opened for modification	C:\WINDOWS\V2011.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2080	2011528135322.exe
2176	svchost.exe
2176	svchost.exe
2176	svchost.exe
2176	svchost.exe
2176	svchost.exe
2176	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2176	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	DllHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2080	1696	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 2176	2080	2011528135322.exe	31
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34
PID 2080 wrote to memory of 592	2080	2011528135322.exe	34

C:\Users\Admin\AppData\Local\Temp\4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\temp\2011528135322.exe
  "C:\Windows\temp\2011528135322.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c afc9fe2f418b00a0.bat
    3⤵
    PID:592

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
4a397f6ddbfeb2f7cdced8a498d52599

SHA1
66f7be52ee6debeec85c8615ae276584936a7b9b

SHA256
58b385389b396dd8261da8e91632b32bc52ba465c83552082bc0b82b0d7dbeba

SHA512
9c67bec8726f635683216cbad73fa0729e888df002cf515143cbf97273a22cecbe3897266d2f531077138ccdf5d12eb9d395357bb7439a878fc60884bd5ab068

Download Submit
C:\Windows\temp\2011528135324.jpg

Filesize
122KB

MD5
aeabb4ae0296cfceb3995c4f1898d9c8

SHA1
ef5d6fb19d5dbfed4675ea07c8ccabc1c51f38c4

SHA256
64cf391f33318c6f36cb0d3f64aa02ec15b485ed250b7c4df66fe1ea0df628b8

SHA512
242a48932a5a9e0448590854c45721332e0820f42f1df7868c16362467ba774f15520a51c9a86c021d2955db3ca52276f1cd39a0585191c6672e8e622b82a953

Download Submit
\Windows\Temp\2011528135322.exe

Filesize
204KB

MD5
1a24c5e8b0653ff5c5033c1970af459a

SHA1
eeaa099ef42414aaf4f7c48618cd66a6e2ba9e37

SHA256
779ba65f8947c9206cade7b181683380da0ef1b12a1a8de5c2e6c00d53574e9b

SHA512
006478b5fae5964ad5ede2b3277fcccfa54de68dff768110b7fb9ab184baa2b714d1d44717d3f760f480fbe1ec48f4e7e569dc030d073da7241825468d552f15

Download Submit
memory/1696-2-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1696-1-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1696-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-34-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

Filesize
8KB

Download
memory/1696-36-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-35-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads