gh0strat | 19be25c510de09e9ac0f3acd7704bc96e7b6744fdf0ab090fc2efcdb70b4fb71

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe
Size

96KB
MD5

872a501ce53c3a9281f991d8b8b658fc
SHA1

be1748619b990d141fe1cd1a7387ba07d95e6eb5
SHA256

19be25c510de09e9ac0f3acd7704bc96e7b6744fdf0ab090fc2efcdb70b4fb71
SHA512

b0322fe11cdfc7d91b7cd60ea3e88d031b2dbedefd9183ab706fbc281a07fe613c51c58c560a6a3eb072353f5d84e090b8e80438642a7540ae05b70c30f0768d
SSDEEP

1536:zHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prFzTqjQOwU:zxS4jHS8q/3nTzePCwNUh4E9snwU

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023438-15.dat	family_gh0strat
behavioral2/memory/1612-18-0x0000000000400000-0x000000000044E304-memory.dmp	family_gh0strat
behavioral2/memory/1172-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2708-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3760-31-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1612	dktyioeycb

Executes dropped EXE 1 IoCs

pid	Process
1612	dktyioeycb

Loads dropped DLL 3 IoCs

pid	Process
1172	svchost.exe
2708	svchost.exe
3760	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipturxooux	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ixinabrmis	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ixinabrmis	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3016	1172	WerFault.exe	92
4588	2708	WerFault.exe	97
3168	3760	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dktyioeycb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	dktyioeycb
1612	dktyioeycb

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1612	dktyioeycb
Token: SeBackupPrivilege	1612	dktyioeycb
Token: SeBackupPrivilege	1612	dktyioeycb
Token: SeRestorePrivilege	1612	dktyioeycb
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeRestorePrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeSecurityPrivilege	1172	svchost.exe
Token: SeSecurityPrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeSecurityPrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeSecurityPrivilege	1172	svchost.exe
Token: SeBackupPrivilege	1172	svchost.exe
Token: SeRestorePrivilege	1172	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeRestorePrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeSecurityPrivilege	3760	svchost.exe
Token: SeSecurityPrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeSecurityPrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeSecurityPrivilege	3760	svchost.exe
Token: SeBackupPrivilege	3760	svchost.exe
Token: SeRestorePrivilege	3760	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1612	4900	872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe	87
PID 4900 wrote to memory of 1612	4900	872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe	87
PID 4900 wrote to memory of 1612	4900	872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900
- \??\c:\users\admin\appdata\local\dktyioeycb
  "C:\Users\Admin\AppData\Local\Temp\872a501ce53c3a9281f991d8b8b658fc_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\872a501ce53c3a9281f991d8b8b658fc_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1088
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1172 -ip 1172
1⤵
PID:4420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 880
  2⤵
  - Program crash
  PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2708 -ip 2708
1⤵
PID:2564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 884
  2⤵
  - Program crash
  PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3760 -ip 3760
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dktyioeycb

Filesize
22.9MB

MD5
9f882f7eb1aea3c2d42e54479c1fad24

SHA1
371994ea00c17c4c40f1cf919ad97c8d0a70fc23

SHA256
d64709fd61141825d6e62b8eadf7d148aa1ce9ee92b5e4c3583ba3ff247dd75d

SHA512
487de35d161f2e592128f0233e0a3761992d6368149d83e529a1a9f97b1788dd014d9e432da12957a5243b10fd403a52c3bf8b6e2299f7578c080ae202e8dc39

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
c0cce2970ec1155033f6b8d21add74e6

SHA1
d9d5b9145cf5c523e4c22124b7372a485483a150

SHA256
43d22f0c7ac89225673a601690b47f29db04a914d559482c38228b7642a6b2e7

SHA512
644fd9897b3bfafd5626bab8933422fe3a5b7d493fba7c2c8168382adff160b414224e1f64a7134183f8c820297076c1a7f606903d13654d9102d6303aebb789

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
bcc58b0e4cd389c1a5832c41d83398c5

SHA1
93c59dab18ce947cab937984b8c0098c054491a4

SHA256
70052de8424ea7f5823673763a97645a6360a954854bd2ee049a64ac66698f7f

SHA512
55378115e5522da34a2a40d437ac2542083db600d5fc18af8a1ec995517ae1c60ce4efac1e51255e56e92e718f74d778130ab5459dbede7fcf7ac15124188258

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\bswfg.cc3

Filesize
21.1MB

MD5
75378221a48f92f686b09a05e1ed94d9

SHA1
f23597a7a625161aff10a7398dae377037cf6fbe

SHA256
3b8387810962e5bf0697a3acd61147af9afb2f4e0aa6f38ac5c2c639656bb9f7

SHA512
bb3481116fdfcbc5a0091b29e13c48c114ffd07b7a055994ba68ba0a721b9c3a3cf1b24243766fafbadaaf985024ba0c1592b96141cba52f34898c4271d32e2e

Download Submit
memory/1172-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1172-19-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1612-9-0x0000000000400000-0x000000000044E304-memory.dmp

Filesize
312KB

Download
memory/1612-18-0x0000000000400000-0x000000000044E304-memory.dmp

Filesize
312KB

Download
memory/1612-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2708-23-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2708-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3760-28-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/3760-31-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4900-0-0x0000000000400000-0x000000000044E304-memory.dmp

Filesize
312KB

Download
memory/4900-8-0x0000000000400000-0x000000000044E304-memory.dmp

Filesize
312KB

Download
memory/4900-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download