gh0strat | fa8897dbf10286460690855f9902b7a4b2ae65328a0650ac3ed1922ead5f9e53

General

Target

962b401701e355f097244730cf24803d_JaffaCakes118.exe
Size

417KB
MD5

962b401701e355f097244730cf24803d
SHA1

1c46d10eed48ab74bd143b13b5e5d0e8a20d5d3e
SHA256

fa8897dbf10286460690855f9902b7a4b2ae65328a0650ac3ed1922ead5f9e53
SHA512

de34976e69a80989076fa5cd8f8833fdb2e14b5e862fe8313181d9fc660150fa771550b15e8bd0b74d25d6a1a790360f4a8f4c9519a43f855c33216d11e4c2bd
SSDEEP

12288:2R4RoOXuDUVtBExF3Z4mxxdXF/jhERUuL:voW5VtBAQmXVF/VCUuL

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001711a-39.dat	family_gh0strat
behavioral1/memory/2724-48-0x0000000000400000-0x0000000000427000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	4.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	4.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	4.exe

Loads dropped DLL 4 IoCs

pid	Process
2304	962b401701e355f097244730cf24803d_JaffaCakes118.exe
2304	962b401701e355f097244730cf24803d_JaffaCakes118.exe
2724	4.exe
2620	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	962b401701e355f097244730cf24803d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	962b401701e355f097244730cf24803d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2724	2304	962b401701e355f097244730cf24803d_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2724	2304	962b401701e355f097244730cf24803d_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2724	2304	962b401701e355f097244730cf24803d_JaffaCakes118.exe	31
PID 2304 wrote to memory of 2724	2304	962b401701e355f097244730cf24803d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\962b401701e355f097244730cf24803d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\962b401701e355f097244730cf24803d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Drops file in Drivers directory
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\install.tmp

Filesize
50B

MD5
bca35becd9dd601e1d6f8dc0336ad0f7

SHA1
fdc74b2ccede7ad09e64aeec41a8d36c32f8feec

SHA256
d0e5420f5fc76577b271863fb3e52ea089d432a8b2ad6382854cdaf116a6f731

SHA512
d98826054b930027dd6588fd30a83650f6a90d82d4fa0c7b8151258988144ef310ea2fc9584c186ec9ac972ff739650cb18d14518f3985dfb6bb2ecc9436805f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
65KB

MD5
e84663d8c8180b028c5a02b37ac3d51a

SHA1
67d61e2158e2125d669e1593b604821f48d72075

SHA256
72c7c912680afd3e9092bcc6d5c2c7b9dd20213bb0e4a3349fd43564513ebda4

SHA512
b2e2a6fe65e82afe069868d28790b34423ac716c0ef919fc5a3993c9805038c9fdc4652213949a41d5a2e059b3ab75397add469ce5c4e2ffb2c48e5bdb5464ae

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
88KB

MD5
808e73e0355448a1e6d12021c207c81d

SHA1
2cfb9f8b0ae3301448ba88dfe651e1a026cd729e

SHA256
6e751821bf9d5d54300b3ccadb83ae320deca4ca4df2c2855f78cbe90924d5a6

SHA512
fadde2465d4acf780580851fe1cbe41d4f2523930bbee46bb37c926c91c6f3aad443e67b2bd6c84748b2dd016bf6ea241b147c4967a28fdd98b7d48845896239

Download Submit
memory/2304-12-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2304-23-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2304-10-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2304-22-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2304-21-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2304-20-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2304-19-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2304-18-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2304-17-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2304-16-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2304-15-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2304-14-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2304-13-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2304-1-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2304-0-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download
memory/2304-24-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2304-9-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2304-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2304-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2304-6-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2304-5-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2304-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2304-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2304-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2304-25-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2304-26-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2304-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2304-53-0x0000000001000000-0x000000000108E000-memory.dmp

Filesize
568KB

Download
memory/2304-52-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2724-48-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads