gh0strat | 2560a3a9a14d34cb4714dcce11f72f95c785a03d878405ea81370dc8d4aec550

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 07:47

Target

5b094985aa2f261bd8156d0a83fae5a9_JaffaCakes118.dll
Size

149KB
MD5

5b094985aa2f261bd8156d0a83fae5a9
SHA1

e7eb485e9179b1096a52b626777689b8fb17e852
SHA256

2560a3a9a14d34cb4714dcce11f72f95c785a03d878405ea81370dc8d4aec550
SHA512

5d91f0ea7d1d7a78d12c6a3ae07379cb2d1d019292eb499b102f5d7230547676b2ff0913561bbd4e36b491d411333fb37ce0c13164aea6a8a7cf98e45c05e60b
SSDEEP

3072:eM7q18GIHdszptVYST72snSIZ6CsavsTKWMNTBftj16VN/:eM7YtxUwID2WMNTBlj1W/

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2636-0-0x0000000010000000-0x0000000010027000-memory.dmp	family_gh0strat
behavioral1/memory/2636-2-0x0000000010000000-0x0000000010027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rundll32.exe.txt	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2636	WerFault.exe	30

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2672 wrote to memory of 2636	2672	rundll32.exe	30
PID 2636 wrote to memory of 2720	2636	rundll32.exe	31
PID 2636 wrote to memory of 2720	2636	rundll32.exe	31
PID 2636 wrote to memory of 2720	2636	rundll32.exe	31
PID 2636 wrote to memory of 2720	2636	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b094985aa2f261bd8156d0a83fae5a9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b094985aa2f261bd8156d0a83fae5a9_JaffaCakes118.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 60
    3⤵
    - Program crash
    PID:2720

memory/2636-0-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/2636-2-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download