gh0strat | 91f15e62533b50e1814daadbdf3e6fde664a9f9d4e08ccdd839a03df5c5e8fac

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe
Size

96KB
MD5

8b9f228ebcb205a337c0fe39e2e51412
SHA1

e1a0da6e1917d422cee1f790506979bbe1b81611
SHA256

91f15e62533b50e1814daadbdf3e6fde664a9f9d4e08ccdd839a03df5c5e8fac
SHA512

0ad0d341bfa7abbb1eb0e48d7acac02cc4441550f37f2e9cfca34e5dbe993a083f06bf238964e19c65960e81e8b4263dd7b2efb35282a6bd3af07d3a4d648b8e
SSDEEP

1536:soFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prcf0vmo4:s6S4jHS8q/3nTzePCwNUh4E9rvmo4

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023489-15.dat	family_gh0strat
behavioral2/memory/3296-17-0x0000000000400000-0x000000000044E264-memory.dmp	family_gh0strat
behavioral2/memory/1532-20-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3272-25-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4840-30-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
3296	dvcisucgmu

Executes dropped EXE 1 IoCs

pid	Process
3296	dvcisucgmu

Loads dropped DLL 3 IoCs

pid	Process
1532	svchost.exe
3272	svchost.exe
4840	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\eskooppbbk	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ekvvgmmdno	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ekvvgmmdno	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
336	1532	WerFault.exe	90
3248	3272	WerFault.exe	96
3468	4840	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvcisucgmu

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3296	dvcisucgmu
3296	dvcisucgmu

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	3296	dvcisucgmu
Token: SeBackupPrivilege	3296	dvcisucgmu
Token: SeBackupPrivilege	3296	dvcisucgmu
Token: SeRestorePrivilege	3296	dvcisucgmu
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeRestorePrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeSecurityPrivilege	1532	svchost.exe
Token: SeSecurityPrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeSecurityPrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeSecurityPrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeRestorePrivilege	1532	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeRestorePrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeSecurityPrivilege	3272	svchost.exe
Token: SeBackupPrivilege	3272	svchost.exe
Token: SeRestorePrivilege	3272	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeRestorePrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeSecurityPrivilege	4840	svchost.exe
Token: SeSecurityPrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeSecurityPrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeSecurityPrivilege	4840	svchost.exe
Token: SeBackupPrivilege	4840	svchost.exe
Token: SeRestorePrivilege	4840	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3296	4444	8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe	87
PID 4444 wrote to memory of 3296	4444	8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe	87
PID 4444 wrote to memory of 3296	4444	8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444
- \??\c:\users\admin\appdata\local\dvcisucgmu
  "C:\Users\Admin\AppData\Local\Temp\8b9f228ebcb205a337c0fe39e2e51412_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\8b9f228ebcb205a337c0fe39e2e51412_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1076
  2⤵
  - Program crash
  PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1532 -ip 1532
1⤵
PID:4740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 1100
  2⤵
  - Program crash
  PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3272 -ip 3272
1⤵
PID:3212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 940
  2⤵
  - Program crash
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4840 -ip 4840
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dvcisucgmu

Filesize
19.6MB

MD5
66aac8992cb40be45a33b3c5dde665ca

SHA1
a37865b7e9bfa13db58446e5e5788c8b96ab17c7

SHA256
0a3c5c64f0f5e87c5ed9fe6c69bb850bc229cb45e1bcd58d6e32047d9a4d9a16

SHA512
f586f069469ebccef57b32cc485d7f014947866eba8f22e1fcc92735c6295630f4bd64bfcb1049bb2346401a5270a0388f6cabadee85d1d54029452af9cd97ec

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
3b3de9f7320885ace4ee1705daf2fd09

SHA1
561681a11532f5b3a86aa443f5dd455bbe10b703

SHA256
614029dd8e39f831cff2413ae1ef59d4a983a676dd9b3cdeefce65f7a6fd300e

SHA512
3e3ce96a89414a566c28615e4408bd951db3a2ad871a17ba8481034720d6cea5b58acb908757ae68d3c743e101c2b97b563fcc0d38b2a42b12b6283c19557cfd

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
111b39f29c8f108d2d31721a159d982a

SHA1
632ab79b6947bc76cca71bc170a5c323d2cb6b61

SHA256
5aee2a32b9cf48dea368096803ffd70f5661e5290f97485bdffc1cc44cb4c540

SHA512
517fa1117ba7f318f18259ef008450b9121cf59190c44521a84d100036ee629f1fad58baa83a004fcc3f339838a0a21aba54b0a06b5998b441e588beaaab42c3

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\pduhx.cc3

Filesize
20.0MB

MD5
d7a8a6f23131abd937ddec167818c815

SHA1
985bc53cdeba8c7e0136fe038677a95cdd44166a

SHA256
b90acd4dc4adbbb27fb4e9545f3e969be9d9392e58fb552dcd3145c473691cb4

SHA512
704d220c1c11227f11e01ef346c631af8465b122d6b8e19f21a4a3634c594d9d2aacb714aad6261233d904cd8b32973bb3ba5de74b7f68dd2361da0fb3caf208

Download Submit
memory/1532-20-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1532-18-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/3272-25-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3272-22-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/3296-17-0x0000000000400000-0x000000000044E264-memory.dmp

Filesize
312KB

Download
memory/3296-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3296-12-0x0000000000400000-0x000000000044E264-memory.dmp

Filesize
312KB

Download
memory/4444-10-0x0000000000400000-0x000000000044E264-memory.dmp

Filesize
312KB

Download
memory/4444-0-0x0000000000400000-0x000000000044E264-memory.dmp

Filesize
312KB

Download
memory/4444-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4840-27-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4840-30-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download