gh0strat | 91915f8cff1470b8c27f9c7f8f4cde0e1d0a4213d801f7ea2f001726a9ca657c

General

Target

a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe
Size

196KB
MD5

a13d65f738b8ec8c6eb6e4483893f1f3
SHA1

063ee081a472f81eea4b56ef724b56fe48d9fe5f
SHA256

91915f8cff1470b8c27f9c7f8f4cde0e1d0a4213d801f7ea2f001726a9ca657c
SHA512

0c520e8cc53fa181355a662f219e24397bdaa5bcda77e6d076a7d80f4b0cbc1aa3fb30bae7f7d29f5fb80882f03623009fd88d3b4a314b5c17db9f5044776a38
SSDEEP

6144:03L8mS6bFSjzJmMWGw0GxXpsYgoSzoBtcmkxRU:5N6UEGw0I2cuxO

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x0000000000431000-memory.dmp	family_gh0strat
behavioral1/memory/2176-6-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/files/0x000700000001211b-4.dat	family_gh0strat
behavioral1/files/0x0008000000015fd9-10.dat	family_gh0strat
behavioral1/memory/2176-14-0x0000000000400000-0x0000000000431000-memory.dmp	family_gh0strat
behavioral1/memory/2704-16-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat
behavioral1/memory/2704-18-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2704	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe
2704	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

C:\Users\Admin\AppData\Local\Temp\a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a13d65f738b8ec8c6eb6e4483893f1f3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\release.tmp

Filesize
95KB

MD5
bf93cb5471d672773a92b84eef09152a

SHA1
53980124e2c138c4f822deb9800be6996ed1c3e2

SHA256
e8ac74d844b965f9aa5b61d736cb75234b59e031358770acedbca45cfb13bad9

SHA512
5e75312d51e9537aa5736e1d1b4a1767895fe48aafe149dd3892593139d771ff73a09b5fea88e27e4c4c9e7592beb46e2cc827615001156fcfba882e447726e1

Download Submit
C:\Windows\SysWOW64\install.tmp

Filesize
84B

MD5
4d9b1bb62ae302315a41f3ec92ea632e

SHA1
1540946d498883b0a92d5e3867274d7e6a94e872

SHA256
27bdaac6ac7fc98d049cb1dc6b9241003477f58e18d5f53c5fbd9d61eb9a9328

SHA512
bdc6d7186088869d04fdfe7f005d9e4b573b315463ad6689a03ba5e2b7ba3057d273f1255b15eda22da7701ce96a12fc4816c71c64eac219498a3f8adc8a332a

Download Submit
\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
95KB

MD5
809b5fa11122d7965129d2962aaffb0a

SHA1
a7f70fce7334627f54d862df57fbd59856a82a8c

SHA256
6d4666ab96e3cb4e4c34077d3cba9d38aea1c5ecbcbe5d394c4f710d704d2ced

SHA512
32062a7e01f34b0f08cbd33e5a9b892dabd6a1a3298c3e2b43217c5e3332780c1cf752b6ba5a7ff2de1d8c8ddf093a8861c5e0bbdd1a582280f0dd9a7a410296

Download Submit
memory/2176-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-6-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2176-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2704-16-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2704-18-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing