gh0strat | dd94a0e76e5de1ed7e055ef87507d3a2e00d3177dd2e450c4afc1e7d3eca6e84

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
Size

240KB
MD5

4d257e507fea62c60ec257db15f91e59
SHA1

bd4b17e49433c06be4e65d43174c45c8f3c14da3
SHA256

dd94a0e76e5de1ed7e055ef87507d3a2e00d3177dd2e450c4afc1e7d3eca6e84
SHA512

3ff13e664a5830d65cf5da1a7fdbe5442b216481d53877070688b8ec4bb8667c1651106e7ac7f13119f8276e7ec52748e984e2f83cd94b211fb7f481fd22e7f5
SSDEEP

6144:wQqu0cHNfrmD7JE/rn3BRTC9K2FyC8Zu:HVfrm3K/LBpjODQ

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233eb-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	2011528135322.exe
3544	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\V2011.exe	svchost.exe
File opened for modification	C:\WINDOWS\V2011.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2368	2011528135322.exe
2368	2011528135322.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe
3544	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3544	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2368	3032	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	85
PID 3032 wrote to memory of 2368	3032	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	85
PID 3032 wrote to memory of 2368	3032	4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe	85
PID 2368 wrote to memory of 3544	2368	2011528135322.exe	86
PID 2368 wrote to memory of 3544	2368	2011528135322.exe	86
PID 2368 wrote to memory of 3544	2368	2011528135322.exe	86
PID 2368 wrote to memory of 2292	2368	2011528135322.exe	89
PID 2368 wrote to memory of 2292	2368	2011528135322.exe	89
PID 2368 wrote to memory of 2292	2368	2011528135322.exe	89

C:\Users\Admin\AppData\Local\Temp\4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d257e507fea62c60ec257db15f91e59_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\temp\2011528135322.exe
  "C:\Windows\temp\2011528135322.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
    3⤵
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\2011528135322.exe

Filesize
204KB

MD5
1a24c5e8b0653ff5c5033c1970af459a

SHA1
eeaa099ef42414aaf4f7c48618cd66a6e2ba9e37

SHA256
779ba65f8947c9206cade7b181683380da0ef1b12a1a8de5c2e6c00d53574e9b

SHA512
006478b5fae5964ad5ede2b3277fcccfa54de68dff768110b7fb9ab184baa2b714d1d44717d3f760f480fbe1ec48f4e7e569dc030d073da7241825468d552f15

Download Submit
C:\Windows\temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
4a397f6ddbfeb2f7cdced8a498d52599

SHA1
66f7be52ee6debeec85c8615ae276584936a7b9b

SHA256
58b385389b396dd8261da8e91632b32bc52ba465c83552082bc0b82b0d7dbeba

SHA512
9c67bec8726f635683216cbad73fa0729e888df002cf515143cbf97273a22cecbe3897266d2f531077138ccdf5d12eb9d395357bb7439a878fc60884bd5ab068

Download Submit
memory/3032-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3032-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download