gh0strat | 4fb51ca96177d18be97e26591287358e13e868d69c7b2794c8af06568658ab3b | Triage

Submit
Reports

Overview

overview

Static

static

7

5f2988ab77...18.exe

windows7-x64

5f2988ab77...18.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

5f2988ab779dd3ef70914f4d208bf6b9_JaffaCakes118
Size

140KB
Sample

240720-fyg8pa1fle
MD5

5f2988ab779dd3ef70914f4d208bf6b9
SHA1

66d2309f54c6262ca377e048f04abfa7ba783f80
SHA256

4fb51ca96177d18be97e26591287358e13e868d69c7b2794c8af06568658ab3b
SHA512

195e29f45ec8c003f3f89c81979a3284e2d9914241ec9a07700537d8474a0b6b7bbfbbb8a0402ea7f3742d2d03a069a34dfdcff5dbc7ef16d99f413fee3e1939
SSDEEP

3072:UBqhYZFlRL6eQvAn9RraPEDknMfDISyU4n:3MFlRL6eOMLIS5o

Score

10^/10

gh0strat bootkit persistence rat vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

5f2988ab779dd3ef70914f4d208bf6b9_JaffaCakes118.exe

Resource

win7-20240704-en

gh0strat bootkit persistence rat vmprotect

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

5f2988ab779dd3ef70914f4d208bf6b9_JaffaCakes118.exe

Resource

win10v2004-20240709-en

gh0strat bootkit persistence rat vmprotect

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  5f2988ab779dd3ef70914f4d208bf6b9_JaffaCakes118
- Size
  
  140KB
- MD5
  
  5f2988ab779dd3ef70914f4d208bf6b9
- SHA1
  
  66d2309f54c6262ca377e048f04abfa7ba783f80
- SHA256
  
  4fb51ca96177d18be97e26591287358e13e868d69c7b2794c8af06568658ab3b
- SHA512
  
  195e29f45ec8c003f3f89c81979a3284e2d9914241ec9a07700537d8474a0b6b7bbfbbb8a0402ea7f3742d2d03a069a34dfdcff5dbc7ef16d99f413fee3e1939
- SSDEEP
  
  3072:UBqhYZFlRL6eQvAn9RraPEDknMfDISyU4n:3MFlRL6eOMLIS5o
Score

10^/10

gh0strat bootkit persistence rat vmprotect
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Server Software Component: Terminal Services DLL
  persistence
- Sets service image path in registry
  persistence
- Deletes itself
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Server Software Component

Terminal Services DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitpersistenceratvmprotect

behavioral2

gh0stratbootkitpersistenceratvmprotect

© 2018-2025

Terms | Privacy