gh0strat | 4b850978d0dd91f2e23a7dd125b94c45af3cac42c45943e1adbce9bf448627dc

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe
Size

96KB
MD5

960cc2e9dfc91cd09dc11a458eee2796
SHA1

e64c2bfb409a7af9b8544ea392d45ef53c6e9c1c
SHA256

4b850978d0dd91f2e23a7dd125b94c45af3cac42c45943e1adbce9bf448627dc
SHA512

79958161accb75bcaa0578307ce769741493bb582800fc1ebf4b2aefbf557c4d8158349a90e078d99cdbb68758ab38283d8b8e7711f975d2c5f11c277c7af476
SSDEEP

1536:BAFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pru8jmyDK:ByS4jHS8q/3nTzePCwNUh4E9u8jmyW

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000800000002345d-14.dat	family_gh0strat
behavioral2/memory/1104-17-0x0000000000400000-0x000000000044E464-memory.dmp	family_gh0strat
behavioral2/memory/548-21-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/740-27-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3304-33-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1104	eqcsweyrey

Executes dropped EXE 1 IoCs

pid	Process
1104	eqcsweyrey

Loads dropped DLL 3 IoCs

pid	Process
548	svchost.exe
740	svchost.exe
3304	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntpnhcayiq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ntpnhcayiq	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ncegpfdvvl	svchost.exe
File created	C:\Windows\SysWOW64\nkbtyyxbvu	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3968	548	WerFault.exe	92
5048	740	WerFault.exe	97
4324	3304	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqcsweyrey
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1104	eqcsweyrey
1104	eqcsweyrey

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1104	eqcsweyrey
Token: SeBackupPrivilege	1104	eqcsweyrey
Token: SeBackupPrivilege	1104	eqcsweyrey
Token: SeRestorePrivilege	1104	eqcsweyrey
Token: SeBackupPrivilege	548	svchost.exe
Token: SeRestorePrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeSecurityPrivilege	548	svchost.exe
Token: SeSecurityPrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeSecurityPrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeSecurityPrivilege	548	svchost.exe
Token: SeBackupPrivilege	548	svchost.exe
Token: SeRestorePrivilege	548	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeRestorePrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeSecurityPrivilege	740	svchost.exe
Token: SeSecurityPrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeSecurityPrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeSecurityPrivilege	740	svchost.exe
Token: SeBackupPrivilege	740	svchost.exe
Token: SeRestorePrivilege	740	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeRestorePrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeSecurityPrivilege	3304	svchost.exe
Token: SeSecurityPrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeSecurityPrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeSecurityPrivilege	3304	svchost.exe
Token: SeBackupPrivilege	3304	svchost.exe
Token: SeRestorePrivilege	3304	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 1104	3892	960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe	87
PID 3892 wrote to memory of 1104	3892	960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe	87
PID 3892 wrote to memory of 1104	3892	960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892
- \??\c:\users\admin\appdata\local\eqcsweyrey
  "C:\Users\Admin\AppData\Local\Temp\960cc2e9dfc91cd09dc11a458eee2796_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\960cc2e9dfc91cd09dc11a458eee2796_jaffacakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1040
  2⤵
  - Program crash
  PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 548 -ip 548
1⤵
PID:2696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1112
  2⤵
  - Program crash
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 740 -ip 740
1⤵
PID:2332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 832
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3304 -ip 3304
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eqcsweyrey

Filesize
21.5MB

MD5
e1f2749ff047870d12c8d667491c3e3a

SHA1
e26caa9f475baceae4e11aaac1226f9ecb2b3458

SHA256
ad9325762c47312449a16e413a4c650956f6b7cfb1fdb2e909f1e9595512b1f1

SHA512
ede467fb0baa976cce1b9806d77bf7ed08e03e4d2ab1117aa78f19ce4f780c25270890c1df0b3c7ca6a5c3093f1bdf80e7187cb632c0d6f395d94c0e39f1e247

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
e73258064471b84d427d68f96512b60c

SHA1
657aeb053564801199a7df7ad9c1325a2a78c102

SHA256
3ab7b4e2f3ee643d58e82c71201642ca50bb8bcfaee7382c00b596ab9d74a0b4

SHA512
651a90b7df84d6c091eac7ef311a684985a5114e731cd51a8d32696b49767f01be8f94f582db091795816a6243bcc904a00e53179d86f40c90fb8a3034f9e821

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
a94c3516a1a2642fcd20d143a151cced

SHA1
b82078c19985bde7d4f46652cb2bfe74d8f72829

SHA256
606c46bc1b83e06e728dda8bd34ddab2998524e4432d9c205da35160833f2a64

SHA512
fbbaa7bd370ce194856b63417d7a88221047aab9231d2aeec084716827b0821369e6c56a12e38de214661d784ac0b9be6145362f28ac47b559b8fe1119320ec0

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\mcbid.cc3

Filesize
22.1MB

MD5
2aca246ae12b2a8b1be1fd9cee66ad65

SHA1
a5e1330cf910489e6c0764419071d6595fdd9c93

SHA256
9c1f1fca24b1a8fa43a1c46496dce0359fa1ed873ada79ca4ee4250a34b65b1e

SHA512
5c3153a32c696dee854b8226098d4d6c2dea0047bf072f594077b1922625938a4cc273b90e0d7ec190717ca6f925b5767ea231b22acee4f89e879a19bcc6ff11

Download Submit
memory/548-19-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/548-21-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/548-18-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/740-24-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/740-23-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/740-27-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1104-17-0x0000000000400000-0x000000000044E464-memory.dmp

Filesize
313KB

Download
memory/1104-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1104-9-0x0000000000400000-0x000000000044E464-memory.dmp

Filesize
313KB

Download
memory/3304-31-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/3304-29-0x0000000001740000-0x0000000001741000-memory.dmp

Filesize
4KB

Download
memory/3304-33-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3892-0-0x0000000000400000-0x000000000044E464-memory.dmp

Filesize
313KB

Download
memory/3892-7-0x0000000000400000-0x000000000044E464-memory.dmp

Filesize
313KB

Download
memory/3892-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download