gh0strat | 083a84992dd3cfce97a869488d4b6cd1bc4717721decfe1bb5306436ff7b759c

General

Target

5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
Size

376KB
MD5

5a47e583dcc59f27cdbbec3faad0d503
SHA1

906d139fcd2492c3d11b009be9e9a48e293123f7
SHA256

083a84992dd3cfce97a869488d4b6cd1bc4717721decfe1bb5306436ff7b759c
SHA512

f81b02efc10506923e5cab1ca478f9181ece3fd844ac42efd3b5eeedb439a7eb2d990f28d5fe4203a931d10e2d3f5cc355a399e9e462fe7c5f45d6519896e934
SSDEEP

6144:zIHYsZbS31zXqSNQgeiOKnDYVH0pwpMWEmpRBJ1NuUBY+f7zAF11whggaoHofph2:zIVZel6SOgeiOKEVH0ppWfBJ7XBczmR5

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral1/memory/2704-9-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2704-8-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2704-11-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2704-10-0x0000000000401000-0x0000000000468000-memory.dmp	family_gh0strat
behavioral1/memory/2704-7-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2832-24-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2832-27-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2832-26-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2832-23-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2832-22-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral1/memory/2704-31-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2832	svchest000.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe"	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\BJ.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
File created	\??\c:\Windows\BJ.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
File created	\??\c:\Windows\svchest000.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
File opened for modification	\??\c:\Windows\svchest000.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2832	2704	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2832	2704	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2832	2704	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2832	2704	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2704
- \??\c:\Windows\svchest000.exe
  c:\Windows\svchest000.exe
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest000.exe

Filesize
376KB

MD5
5a47e583dcc59f27cdbbec3faad0d503

SHA1
906d139fcd2492c3d11b009be9e9a48e293123f7

SHA256
083a84992dd3cfce97a869488d4b6cd1bc4717721decfe1bb5306436ff7b759c

SHA512
f81b02efc10506923e5cab1ca478f9181ece3fd844ac42efd3b5eeedb439a7eb2d990f28d5fe4203a931d10e2d3f5cc355a399e9e462fe7c5f45d6519896e934

Download Submit
memory/2704-6-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2704-8-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-2-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-10-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/2704-1-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2704-0-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-5-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2704-31-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-3-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2704-18-0x0000000002EF0000-0x000000000303B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-32-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2704-9-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-11-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-7-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2704-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2832-25-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-28-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/2832-27-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-26-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-23-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-22-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-21-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-20-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/2832-24-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-19-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads