gh0strat | 05ff107131d3bb78a5d1b9ace8b07ee9552eab5c9476eed3dba6d730fc9b9d35

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Size

223KB
MD5

6ff2a4ca1236a40cdbde74c086a949d5
SHA1

5f451121f14af83791655ad6117813b2facfd963
SHA256

05ff107131d3bb78a5d1b9ace8b07ee9552eab5c9476eed3dba6d730fc9b9d35
SHA512

d8f8335cafb6b6991bc7763549cb4dd21b305ccba93c14e439d64cf412dc4e0f84dce3cf4043fb2dfd3087de2747f2e119a3900daa8dc8558d5ab8fb9beb928f
SSDEEP

6144:ZZM4nDWgRAkPwUrWbi7cJVGpxx9bKwZuwk4GHeqo:1R3PwUdoJI3LK+RT

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2948-0-0x0000000000400000-0x0000000000461000-memory.dmp	family_gh0strat
behavioral1/files/0x000c00000001870b-15.dat	family_gh0strat
behavioral1/memory/2948-22-0x0000000000400000-0x0000000000461000-memory.dmp	family_gh0strat
behavioral1/memory/2948-21-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral1/files/0x0007000000012117-26.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2272	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2272	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Gkak\Hxcwalkhd.jpg	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gkak\Hxcwalkhd.jpg	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeRestorePrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeBackupPrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeRestorePrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeBackupPrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeRestorePrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeBackupPrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
Token: SeRestorePrivilege	2948	6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2601000.dll

Filesize
101KB

MD5
1995acbdcffb7c31bb8526a4f2381739

SHA1
0f64668b463f9b3eef80392e5311a051ec6cbfe2

SHA256
8eaebbcfa69fbbdd88cdbc9c670b1577efa67116e02387ed302fe482972a0128

SHA512
b841887c6b1a3eaee5c187bf44eeb77e6763f98d97b7080506d9f704afed05f0ea2a7a5e77c4cf1378b9491822151d5de6a2d3695d5936d7d8a40c1347fd338b

Download Submit
C:\Program Files (x86)\Gkak\Hxcwalkhd.jpg

Filesize
6.2MB

MD5
bc2049ada39428c5156f8be75a010ade

SHA1
c6edd95b7436f64e2b57fd98a1d8c1f6673f01b6

SHA256
8e9d8c00fc164aa1f4fdbe7903beb8440dad09b68f3480e823651724970f3327

SHA512
0e5911def2a6f48afee87711c3b738a65076d351d5d9e734121dd3872e7254db5592d52094ac98b2e7a6c056940ebc161cca4a63b65a7de149f7fab67e6ecdf5

Download Submit
\??\c:\NT_Path.jpg

Filesize
99B

MD5
1adca87e5c165485bcfa582692a2432e

SHA1
3c24d656b018a197e4cb10cc88a3ea383f88f6e1

SHA256
9892192196edf5d5b16810e6db329e8be3c1eff5bbb5dd09f03c677e019e9050

SHA512
3d002493e8e71168a02e2051441c302209320386bd6237131b81399248fa2aa41ae82597e6dd4351d955e62a4996d7bf3871e9bb16b17a61ccd317e9c6e594f7

Download Submit
memory/2948-7-0x0000000002570000-0x000000000261C000-memory.dmp

Filesize
688KB

Download
memory/2948-5-0x0000000000760000-0x0000000000870000-memory.dmp

Filesize
1.1MB

Download
memory/2948-3-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/2948-9-0x00000000023E0000-0x0000000002470000-memory.dmp

Filesize
576KB

Download
memory/2948-8-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2948-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2948-11-0x0000000002470000-0x0000000002510000-memory.dmp

Filesize
640KB

Download
memory/2948-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2948-19-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/2948-23-0x00000000008C0000-0x0000000000921000-memory.dmp

Filesize
388KB

Download
memory/2948-22-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2948-21-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2948-2-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/2948-1-0x00000000008C0000-0x0000000000921000-memory.dmp

Filesize
388KB

Download