gh0strat | 3990e73698873edc23c24fa38957e9c1a2c5fdf2b598e02b6fcaad5b65e1d7ee

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe
Size

95KB
MD5

6a0d447e4df946ca11d280ecdd7633c6
SHA1

198ce948e6d25ef67ca0f959672c2cf8f81b1e38
SHA256

3990e73698873edc23c24fa38957e9c1a2c5fdf2b598e02b6fcaad5b65e1d7ee
SHA512

72f1357c8dc176aa059a674e20de25a9f14f5b72cf997553f10fe43103e0cbcbb31af9a7c131cec5b8706d6c1b202e01cf57febe9086c9a68a60a9706748c737
SSDEEP

1536:N73XFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prCRiik+:NThS4jHS8q/3nTzePCwNUh4E9qVk+

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000233f0-14.dat	family_gh0strat
behavioral2/memory/2036-17-0x0000000000400000-0x000000000044C611-memory.dmp	family_gh0strat
behavioral2/memory/3316-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4160-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3708-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2036	nxtsuebwci

Executes dropped EXE 1 IoCs

pid	Process
2036	nxtsuebwci

Loads dropped DLL 3 IoCs

pid	Process
3316	svchost.exe
4160	svchost.exe
3708	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mlniyastts	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mubchdurhn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\mdpupgwptj	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1840	3316	WerFault.exe	94
4476	4160	WerFault.exe	99
3284	3708	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nxtsuebwci
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	nxtsuebwci
2036	nxtsuebwci

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2036	nxtsuebwci
Token: SeBackupPrivilege	2036	nxtsuebwci
Token: SeBackupPrivilege	2036	nxtsuebwci
Token: SeRestorePrivilege	2036	nxtsuebwci
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeRestorePrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeSecurityPrivilege	3316	svchost.exe
Token: SeSecurityPrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeSecurityPrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeSecurityPrivilege	3316	svchost.exe
Token: SeBackupPrivilege	3316	svchost.exe
Token: SeRestorePrivilege	3316	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeRestorePrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeSecurityPrivilege	4160	svchost.exe
Token: SeSecurityPrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeSecurityPrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeSecurityPrivilege	4160	svchost.exe
Token: SeBackupPrivilege	4160	svchost.exe
Token: SeRestorePrivilege	4160	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeRestorePrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeSecurityPrivilege	3708	svchost.exe
Token: SeSecurityPrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeSecurityPrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeSecurityPrivilege	3708	svchost.exe
Token: SeBackupPrivilege	3708	svchost.exe
Token: SeRestorePrivilege	3708	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2036	1692	6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe	89
PID 1692 wrote to memory of 2036	1692	6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe	89
PID 1692 wrote to memory of 2036	1692	6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- \??\c:\users\admin\appdata\local\nxtsuebwci
  "C:\Users\Admin\AppData\Local\Temp\6a0d447e4df946ca11d280ecdd7633c6_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\6a0d447e4df946ca11d280ecdd7633c6_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1116
  2⤵
  - Program crash
  PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3316 -ip 3316
1⤵
PID:1092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 940
  2⤵
  - Program crash
  PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4160 -ip 4160
1⤵
PID:4824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 868
  2⤵
  - Program crash
  PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3708 -ip 3708
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nxtsuebwci

Filesize
22.5MB

MD5
cc6319a5c2b639a240187ff12a07fd93

SHA1
25b4360956a013d2d2d97af76c7ef3948c54dd4d

SHA256
475c48ec2f121c1c00a671b7ca4673598160aa0bc5c6dbc3ffa4d4c434a90fa3

SHA512
7f8bae79b23b44be1e4473d79a5c02b378b8c0849003c1a30df58f16803b7d677f7b54cd17da06223d451c76fe23a7b7c3c017401e87ec5955dc2292f16a8389

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
05b9bc14a68b58141c5a90655dbd33b3

SHA1
46a41b9c55e9080b1fabdcbfa16d614aae31d8fd

SHA256
c0c144acb64219850cb0295b6878dd39fd0fa2fc4dc08eba950d5a0a6af21613

SHA512
f2cdf2bd954544516f0cfc6c9fd7f8154a95127958cafc2db2aa74bf3275092f65afc119f3679b64b2dbca4dffbc33c6dfb77de4d96e98d6a76ae19d93f0aec9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
f8848f3a82aa5753121617cee61eccaa

SHA1
2b25d636785da772fdf744091fb5047d39656025

SHA256
157d5215513a33efa4b820f7c3b6a5fed1d134e376dc9a6a9df3f081e3ac89c1

SHA512
6206a29e3e19b199b2d1ffd1a5664f05aa1b640c9f44408e003da3128509fac1da382343d3f98a183feb6187eb8f9b1efaefe358522f0e56f2772034c51c3794

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\idbod.cc3

Filesize
19.1MB

MD5
25a477626a8ae6423ffa3bf84bdbcb61

SHA1
5618f877ca9f20acad8f5b5b26a97380b84e00f9

SHA256
077d12cf64da698c041336e1b917682deaad8296dd72a8833ab4a7c5f5189361

SHA512
fadc34219498e2f955ce393c722b7c0d476bd8965db2be6c7eeb26e10c1444f68d2cdcdd939746e5e08e91054fccd8c4a5ca38cbe5d1eca4aed63a0aa96649ee

Download Submit
memory/1692-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1692-9-0x0000000000400000-0x000000000044C611-memory.dmp

Filesize
305KB

Download
memory/1692-0-0x0000000000400000-0x000000000044C611-memory.dmp

Filesize
305KB

Download
memory/2036-17-0x0000000000400000-0x000000000044C611-memory.dmp

Filesize
305KB

Download
memory/2036-11-0x0000000000400000-0x000000000044C611-memory.dmp

Filesize
305KB

Download
memory/3316-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3316-18-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3708-27-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/3708-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4160-22-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/4160-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download