gh0strat | 177bdecacc90c4fb1b0a4b4af7d14e5548f6bb58a1c21eca6753c945845043ce

Analysis

max time kernel
142s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe
Size

96KB
MD5

6f7a107dc916475497c8879a9e961e57
SHA1

c47ff28d6f76ed36daf1a403dba06497cf5dcd16
SHA256

177bdecacc90c4fb1b0a4b4af7d14e5548f6bb58a1c21eca6753c945845043ce
SHA512

0854a7907c488d958e2604557c9fc7742e633355947d774a23bfd16cda5f865f6ac5483fef98f2ea5de5ccf90cc2d0878ac56e23db4bc5616603437dbc141d08
SSDEEP

1536:foFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr+RF1MgI:f6S4jHS8q/3nTzePCwNUh4E9+MgI

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023458-15.dat	family_gh0strat
behavioral2/memory/2056-18-0x0000000000400000-0x000000000044E344-memory.dmp	family_gh0strat
behavioral2/memory/1364-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4124-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3312-31-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2056	bwjeeoxqor

Executes dropped EXE 1 IoCs

pid	Process
2056	bwjeeoxqor

Loads dropped DLL 3 IoCs

pid	Process
1364	svchost.exe
4124	svchost.exe
3312	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gemoryqsbe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\gnkcbslwbn	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\gvyujvnuoi	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4624	1364	WerFault.exe	89
3232	4124	WerFault.exe	93
1792	3312	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwjeeoxqor
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	bwjeeoxqor
2056	bwjeeoxqor

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	2056	bwjeeoxqor
Token: SeBackupPrivilege	2056	bwjeeoxqor
Token: SeBackupPrivilege	2056	bwjeeoxqor
Token: SeRestorePrivilege	2056	bwjeeoxqor
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeRestorePrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeSecurityPrivilege	1364	svchost.exe
Token: SeSecurityPrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeSecurityPrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeSecurityPrivilege	1364	svchost.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeRestorePrivilege	1364	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeRestorePrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeSecurityPrivilege	4124	svchost.exe
Token: SeSecurityPrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeSecurityPrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeSecurityPrivilege	4124	svchost.exe
Token: SeBackupPrivilege	4124	svchost.exe
Token: SeRestorePrivilege	4124	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeRestorePrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeSecurityPrivilege	3312	svchost.exe
Token: SeSecurityPrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeSecurityPrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeSecurityPrivilege	3312	svchost.exe
Token: SeBackupPrivilege	3312	svchost.exe
Token: SeRestorePrivilege	3312	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 2056	568	6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe	88
PID 568 wrote to memory of 2056	568	6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe	88
PID 568 wrote to memory of 2056	568	6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568
- \??\c:\users\admin\appdata\local\bwjeeoxqor
  "C:\Users\Admin\AppData\Local\Temp\6f7a107dc916475497c8879a9e961e57_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\6f7a107dc916475497c8879a9e961e57_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1060
  2⤵
  - Program crash
  PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1364 -ip 1364
1⤵
PID:3152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1112
  2⤵
  - Program crash
  PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4124 -ip 4124
1⤵
PID:2228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1104
  2⤵
  - Program crash
  PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3312 -ip 3312
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bwjeeoxqor

Filesize
22.3MB

MD5
9d24fa231af11c37be08f736db4eaa96

SHA1
a3c792483ab490e89e9eb8b9fd3b4097a5ec7893

SHA256
41c20ce4afbf5a1fd84aa5fb8f3ae0d716cb71f2719f9f11b992812b3e0a8c00

SHA512
b48311fda7a39fa2f755e5ac9113bc6476954123389e242b47145c41887aed15cbe3abf6f5681129dc7ac8afaabcb2e07d93fbc5e4066c4ccb897fa75ffd759d

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
831a85e6c0cd86f5b36667a5bffa555c

SHA1
ad7ccb40c19246370470509e0940b5bf7cef1055

SHA256
f8c2a4c30f9963a93ceb58607cdf0a53b3628c5266acd5ea43360cd7eef8918e

SHA512
08a14056bba99e488031b686a34ac956bab62185a03ddd7e435ef91e03882a5b398ed5f60533462aa997a0512598293d4f6e08442bec3aab9a812e494b9a5669

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
f628deede4d7f3fbee16e0a7fb2ee212

SHA1
f7d8cc1b72ddf82dc7619db17c5fa3169bf10535

SHA256
20114ef15e653d715fcf4e76e0d44bcb7fe3c28bbce24f08be4c1d150e1996d1

SHA512
73a5da4b755e7ff47e8164141e4dc4981791aab0ff458b912012db3ab04732b5fd0cdb3daa24c9faacec67bee605ea96a0e72f953e1c9e2a978f0aaa5f2cf266

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\upnhl.cc3

Filesize
23.1MB

MD5
e1c5eb90b2a558ffa3117df2c0797a12

SHA1
44ae2e5bb968b2d203be70f95ad790edb99b4f8d

SHA256
a089af2bdce372fa6e21ec5faf9c8467c6013faa03065254f593726bdcc32812

SHA512
49ef803bebcc105a743906cd513bcf97f05cd03f119c62515c5441aa0e412e997678f5dfb2cec2bdd78991824461b99c10e766e37c1ace6a8119cb6799c04246

Download Submit
memory/568-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/568-0-0x0000000000400000-0x000000000044E344-memory.dmp

Filesize
312KB

Download
memory/568-10-0x0000000000400000-0x000000000044E344-memory.dmp

Filesize
312KB

Download
memory/1364-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1364-19-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2056-11-0x0000000000400000-0x000000000044E344-memory.dmp

Filesize
312KB

Download
memory/2056-18-0x0000000000400000-0x000000000044E344-memory.dmp

Filesize
312KB

Download
memory/2056-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3312-28-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/3312-31-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4124-23-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4124-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download