gh0strat | 8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

82f2716ba6...18.exe

windows7-x64

82f2716ba6...18.exe

windows10-2004-x64

Sharing

General

Target

82f2716ba60da548c40b7b900d3c8287_JaffaCakes118
Size

198KB
Sample

240802-eked7szard
MD5

82f2716ba60da548c40b7b900d3c8287
SHA1

d8eb82d5ac1fcda00f401de4c5e5ffac125e3872
SHA256

8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050
SHA512

7eaf4817bbee02b3d8d10ac2da179ab5c5cc9d7560bade08842f8b5660268a16d3cff41a9b7055c736723cb31740a842377808538e414d3ecc8562d3f3c5b21d
SSDEEP

6144:tNny7a4tEGnTH5thy7r+P3QHNmmi25ttBOxjMoF:+btV1thyaQHNxTbAgo

Score

10^/10

gh0strat bootkit discovery persistence rat upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe

Resource

win7-20240708-en

gh0strat bootkit discovery persistence rat upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe

Resource

win10v2004-20240730-en

gh0strat discovery rat upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  82f2716ba60da548c40b7b900d3c8287_JaffaCakes118
- Size
  
  198KB
- MD5
  
  82f2716ba60da548c40b7b900d3c8287
- SHA1
  
  d8eb82d5ac1fcda00f401de4c5e5ffac125e3872
- SHA256
  
  8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050
- SHA512
  
  7eaf4817bbee02b3d8d10ac2da179ab5c5cc9d7560bade08842f8b5660268a16d3cff41a9b7055c736723cb31740a842377808538e414d3ecc8562d3f3c5b21d
- SSDEEP
  
  6144:tNny7a4tEGnTH5thy7r+P3QHNmmi25ttBOxjMoF:+btV1thyaQHNxTbAgo
Score

10^/10

gh0strat bootkit discovery persistence rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratbootkitdiscoverypersistenceratupx

behavioral2

gh0stratdiscoveryratupx

© 2018-2025

Terms | Privacy