gh0strat | 083a84992dd3cfce97a869488d4b6cd1bc4717721decfe1bb5306436ff7b759c

General

Target

5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
Size

376KB
MD5

5a47e583dcc59f27cdbbec3faad0d503
SHA1

906d139fcd2492c3d11b009be9e9a48e293123f7
SHA256

083a84992dd3cfce97a869488d4b6cd1bc4717721decfe1bb5306436ff7b759c
SHA512

f81b02efc10506923e5cab1ca478f9181ece3fd844ac42efd3b5eeedb439a7eb2d990f28d5fe4203a931d10e2d3f5cc355a399e9e462fe7c5f45d6519896e934
SSDEEP

6144:zIHYsZbS31zXqSNQgeiOKnDYVH0pwpMWEmpRBJ1NuUBY+f7zAF11whggaoHofph2:zIVZel6SOgeiOKEVH0ppWfBJ7XBczmR5

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral2/memory/464-6-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/464-10-0x0000000000401000-0x0000000000468000-memory.dmp	family_gh0strat
behavioral2/memory/464-4-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/2832-25-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/2832-27-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/2832-24-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/2832-23-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/2832-22-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/464-18-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/464-3-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat
behavioral2/memory/464-29-0x0000000000400000-0x000000000054B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2832	svchest425075242507520.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe"	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\BJ.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
File created	\??\c:\Windows\svchest425075242507520.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
File opened for modification	\??\c:\Windows\svchest425075242507520.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
File created	\??\c:\Windows\BJ.exe	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2832	464	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	82
PID 464 wrote to memory of 2832	464	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	82
PID 464 wrote to memory of 2832	464	5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a47e583dcc59f27cdbbec3faad0d503_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:464
- \??\c:\Windows\svchest425075242507520.exe
  c:\Windows\svchest425075242507520.exe
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest425075242507520.exe

Filesize
376KB

MD5
5a47e583dcc59f27cdbbec3faad0d503

SHA1
906d139fcd2492c3d11b009be9e9a48e293123f7

SHA256
083a84992dd3cfce97a869488d4b6cd1bc4717721decfe1bb5306436ff7b759c

SHA512
f81b02efc10506923e5cab1ca478f9181ece3fd844ac42efd3b5eeedb439a7eb2d990f28d5fe4203a931d10e2d3f5cc355a399e9e462fe7c5f45d6519896e934

Download Submit
memory/464-18-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/464-30-0x00000000022C0000-0x00000000022FE000-memory.dmp

Filesize
248KB

Download
memory/464-6-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/464-10-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/464-7-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/464-5-0x00000000022C0000-0x00000000022FE000-memory.dmp

Filesize
248KB

Download
memory/464-4-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/464-0-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/464-29-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/464-1-0x00000000022C0000-0x00000000022FE000-memory.dmp

Filesize
248KB

Download
memory/464-8-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/464-2-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/464-9-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/464-3-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-26-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/2832-20-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/2832-19-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-21-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-22-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-27-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-25-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-24-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2832-23-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads