gh0strat | 9e513960a169aad7b17bc9181649a43ee439857edd4f0e8cf09685bdf3cf67ec | Triage

Submit
Reports

Overview

overview

Static

static

668977ea8a...18.exe

windows7-x64

668977ea8a...18.exe

windows10-2004-x64

Sharing

General

Target

668977ea8ab852c01936636d55a8e7e8_JaffaCakes118
Size

112KB
Sample

240729-277etszemg
MD5

668977ea8ab852c01936636d55a8e7e8
SHA1

f61bc0c2beb47a715c949cd3e46dd4609267862d
SHA256

9e513960a169aad7b17bc9181649a43ee439857edd4f0e8cf09685bdf3cf67ec
SHA512

1511a2a80f4a3e925ea54cb51671a1a8a00f69686df5ab790cafd321979778c14a8df22420b6d691ebf50c24eb27a60cf994f3716f249db5ebc22a7d82de70ad
SSDEEP

1536:vqEA70HzLJksPEOajozLElnqiO2cdJ/tHi:vXTLJkQ7zAV3+tC

Score

10^/10

gh0strat runningrat discovery persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

668977ea8ab852c01936636d55a8e7e8_JaffaCakes118.exe

Resource

win7-20240704-en

gh0strat runningrat discovery persistence rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

668977ea8ab852c01936636d55a8e7e8_JaffaCakes118.exe

Resource

win10v2004-20240709-en

gh0strat runningrat discovery persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

p.f2pool.info

Targets

- Target
  
  668977ea8ab852c01936636d55a8e7e8_JaffaCakes118
- Size
  
  112KB
- MD5
  
  668977ea8ab852c01936636d55a8e7e8
- SHA1
  
  f61bc0c2beb47a715c949cd3e46dd4609267862d
- SHA256
  
  9e513960a169aad7b17bc9181649a43ee439857edd4f0e8cf09685bdf3cf67ec
- SHA512
  
  1511a2a80f4a3e925ea54cb51671a1a8a00f69686df5ab790cafd321979778c14a8df22420b6d691ebf50c24eb27a60cf994f3716f249db5ebc22a7d82de70ad
- SSDEEP
  
  1536:vqEA70HzLJksPEOajozLElnqiO2cdJ/tHi:vXTLJkQ7zAV3+tC
Score

10^/10

gh0strat runningrat discovery persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- Server Software Component: Terminal Services DLL
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Creates a Windows Service
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

Terminal Services DLL

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratrunningratdiscoverypersistencerat

behavioral2

gh0stratrunningratdiscoverypersistencerat

© 2018-2024

Terms | Privacy