gh0strat | bdf8fa18ea0694df6a62adea97d87f80569b4d5fe3944a991711cf28ba804866

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 02:28

Target

65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
Size

11.2MB
MD5

65ca6c2c69a5adac46a20810466d5b08
SHA1

844b018fec0bb6cf5b13e208950a05a64c8d952f
SHA256

bdf8fa18ea0694df6a62adea97d87f80569b4d5fe3944a991711cf28ba804866
SHA512

f3c049a14843ffbe12f674b78f81fb9ecd400c97a1c1b08e7b6f6aa447ad287246af40b76de207f65dbd0e28a35402e574931454038a3e6e2c0e8f42d26fb256
SSDEEP

3072:dnosptz46JhfIf/LPJKHUWyolm9FI4rEJqiFnQCdFB9HJ09VDLX:dn81ErgIq1UQCNa

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002346b-2.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
4512	RUNDLL32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\Program Files\WINDOWSS.INI	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
File created	C:\Program Files\temp0\QQ.exe	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
File opened for modification	C:\Program Files\temp0\QQ.exe	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4512	1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe	84
PID 1056 wrote to memory of 4512	1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe	84
PID 1056 wrote to memory of 4512	1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe	84
PID 1056 wrote to memory of 3844	1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe	98
PID 1056 wrote to memory of 3844	1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe	98
PID 1056 wrote to memory of 3844	1056	65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65ca6c2c69a5adac46a20810466d5b08_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
  2⤵
  - Loads dropped DLL
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:3844

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
94e32d7e317ca37c222de8e6fab020fa

SHA1
1bfc8cbcd461fff109fa601e68373667a07ba939

SHA256
00faf578cee09ba2214fbdf80caef2e5bdf9f228b621227be5767242c1dcf911

SHA512
e03bdc9e767e363a1d7f487210ba0918189a18d23114af16602da3c64b4365377c10b290c362d43a4be70d5ccbffda998d914c0db76d5a21a8d999bf558589ea

Download Submit
\??\c:\Program Files\WINDOWSS.INI

Filesize
10.3MB

MD5
df7197357ded7d938abad18280d4dc18

SHA1
a655b4f56aece1ebb3f4fec194374f5529f65d41

SHA256
6e78fde7e91b99ef304d181a07eba24ee3a84b594b9fe0c5b1f36dc37bd31344

SHA512
49993d9e76aa2585a5843f63285224ca0d450602f084c773335d210087ad9325ce4f769d137a6eb43b381f44caa65cb24242ff0dd6162947d34ed413d70022b0

Download Submit