gh0strat | e4753bccc9ed1a89db4c4a21925a470e56a47d2c0ff1a71e6a6c54d267e92f87

General

Target

a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe
Size

384KB
MD5

a4b1e68248d4a72d4e01c8c1063fca82
SHA1

5ca575a41a8213846f0546486cbfcbecd8e51a1d
SHA256

e4753bccc9ed1a89db4c4a21925a470e56a47d2c0ff1a71e6a6c54d267e92f87
SHA512

106fe7b3fc02b79bccea06ff57762bd1878f6278181d94a7ede9322a3f0b1dcfb5e2dfc071b2a90506fb5dfb7e8ea5de3f74962970769c4ce8752937d53f1b81
SSDEEP

12288:GdcNedlaTF3Z4mxxyWznGc+L+NAwizaUd4AeG:EPdlgQmXyWznGPMQaUZ

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fc-33.dat	family_gh0strat
behavioral1/files/0x000800000001749f-35.dat	family_gh0strat
behavioral1/memory/2280-39-0x0000000000400000-0x0000000000471000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe
2872	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4b1e68248d4a72d4e01c8c1063fca82_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259541078_res.tmp

Filesize
99KB

MD5
9b3d9e793507ac00d8387183f22db0eb

SHA1
83cc9fe037fe8146f38ce9be4afc94ee862cb07b

SHA256
c31d45a49b0906d17adc94a3d7424eb1d21c7a12b9942c6855f8b12a84ca1270

SHA512
dc45791012eb2a6e88ca644b48dc58efc8f16bdefebdc4aad8ae80ce38d774d991943cca80228e6cbbaf0493bd07e0de7c52979490c54e7d616c3a738f9a6a54

Download Submit
\Users\Admin\AppData\Local\Temp\259541031_ex.tmp

Filesize
99KB

MD5
c2d4f11aed885097f15944444435facb

SHA1
06f90c5a9397fbc4f2242fc2c6737e6599537497

SHA256
74f1e94dea0986e011d2176e478a246e75998fc9e190dcd7b4a310603c82347a

SHA512
e983537afcb89a808e4bbe2d2f96329ff88abca37edc15a673d4ff96fccca0a9dfa57442cb0356b5f1be4410ae1b4707d0f42eda99e3e55d651a05ca456443dc

Download Submit
memory/2280-18-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2280-2-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2280-39-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2280-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2280-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2280-27-0x0000000003180000-0x0000000003183000-memory.dmp

Filesize
12KB

Download
memory/2280-16-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2280-25-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2280-24-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2280-23-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2280-22-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2280-21-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2280-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2280-19-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2280-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2280-41-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2280-26-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2280-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2280-14-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2280-13-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2280-12-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2280-11-0x0000000003190000-0x0000000003192000-memory.dmp

Filesize
8KB

Download
memory/2280-10-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2280-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2280-7-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2280-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2280-17-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2280-9-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing