gh0strat | 8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050

General

Target

82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
Size

198KB
MD5

82f2716ba60da548c40b7b900d3c8287
SHA1

d8eb82d5ac1fcda00f401de4c5e5ffac125e3872
SHA256

8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050
SHA512

7eaf4817bbee02b3d8d10ac2da179ab5c5cc9d7560bade08842f8b5660268a16d3cff41a9b7055c736723cb31740a842377808538e414d3ecc8562d3f3c5b21d
SSDEEP

6144:tNny7a4tEGnTH5thy7r+P3QHNmmi25ttBOxjMoF:+btV1thyaQHNxTbAgo

Score

10^/10

gh0strat bootkit discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000175e4-11.dat	family_gh0strat
behavioral1/memory/2940-16-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/3060-18-0x0000000000400000-0x00000000004BD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	server.exe

Loads dropped DLL 3 IoCs

pid	Process
3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
2940	server.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x00000000004BD000-memory.dmp	upx
behavioral1/memory/3060-18-0x0000000000400000-0x00000000004BD000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	server.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Thunder.pic	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Comres.dll	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
File created	C:\Windows\addins\server.exe	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	server.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6F5C6FFDE75F2E539455F2D600FD0CBD4754EC28	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6F5C6FFDE75F2E539455F2D600FD0CBD4754EC28\Blob = 0300000001000000140000006f5c6ffde75f2e539455f2d600fd0cbd4754ec282000000001000000600200003082025c308201c5a0030201020210392663080ad4d6aa447025f97491ccbd300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303631383133353634315a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100da6277ea36d47d951b51fa1dbcacccdbfcfb1da197bb62bf9a656a399c315573c59d792514f102391a2a35b31cf3b54b54c183875a651e32254b5d53518b30f7fd7bea1b878ad4934c766f5ba737d60b1242156429261b43200345e3dac56c87c3561fa3345b2fc7c6acc9eef5175a471d1d26e97e5910d97b7cb41c446430bb0203010001a36b306930670603551d010460305e801036a1fd20f7e479edac1dd9cf84a3fe50a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210392663080ad4d6aa447025f97491ccbd300d06092a864886f70d010104050003818100059805eb016e2a8b3491bdbdcbf41d6fa887de7cc00135b2e86884723b6bfe13c4c5bf1cdc819b3b829562d1a3ac54929f062dccc1119f488c8b50a2717965eb1837aa29b64daf0c681bccb15e01a4f705306c1483e995f9dbd4b113563088cddcbe2b6487bd76cd9b8877c49aa331c04f10635948c2dafbf84935f5e1c09495	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
2940	server.exe
2940	server.exe
2940	server.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
Token: SeRestorePrivilege	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2940	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2940	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2940	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2940	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	31
PID 3060 wrote to memory of 2720	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2720	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2720	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2720	3060	82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82f2716ba60da548c40b7b900d3c8287_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\addins\server.exe
  "C:\Windows\addins\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\82F271~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Thunder.pic

Filesize
25.1MB

MD5
c73552cb6d89163e18086ac6bd399c42

SHA1
fa8904d727c50d51d983c246a33ce091723ae51d

SHA256
1b62353be26feca155efe724000b03873380dcfc4906a4f68bd2731a3ed98929

SHA512
36c57ca61dfe051dd97b8b1e153d247792d3ce3c9f29937a71d3ae2845dfc2a6bc54e9a150ef5f94935f09bd1f61964742132772ce2aa14fc62b29360695c87b

Download Submit
\Windows\addins\server.exe

Filesize
3KB

MD5
89f2fc1c954dc2ce23839f1be4889235

SHA1
19dcd7582c3f0a6d30e239406fe0a018c4475b7e

SHA256
42acb90376d4b5b9c60f457ef3ab2dce684e6ec2ade03bebd672ca9a9ebce82d

SHA512
c46ea15af9760d46cc4c182d27be6115f9ace613f12eb55bc4738fe9c56f97f88a4a3ab902cbc82336bcc77589b1b892479df44fae1ed1ac398c92e1215ac849

Download Submit
memory/2940-14-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2940-16-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2940-17-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3060-13-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/3060-12-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/3060-18-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads