gh0strat | 5af86b0fd1ea95488a8dda26395bdf8e4f6d7f2cf55ace9038fb7654e6834089

Analysis

max time kernel
148s
max time network
138s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 02:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
Size

301KB
MD5

a518d48dc3673f41a554879a23433a4a
SHA1

f0ca38356e9eb4dc75c76d12c9e6604400c04616
SHA256

5af86b0fd1ea95488a8dda26395bdf8e4f6d7f2cf55ace9038fb7654e6834089
SHA512

c61b4ce425fcb52cea484895af79181f226aac1120375d4b2c23abb842f7cafd16918b2b42415acb4765044254490f188b2cd383eb505c5289e948a5a8d8ae36
SSDEEP

6144:vm8geJRgCHsM3ImeRsSYQZynHZ8uGjJZ9q6+pwcEwyvOhCrdUv6Fx:FgejgC52DZKotZ9qScYOhCrmvK

Score

10^/10

gh0strat bootkit defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000017342-46.dat	family_gh0strat
behavioral1/memory/1972-47-0x0000000000400000-0x000000000048F000-memory.dmp	family_gh0strat
behavioral1/memory/2632-49-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/1972-72-0x0000000000400000-0x000000000048F000-memory.dmp	family_gh0strat
behavioral1/memory/2632-79-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\amd32_.sys	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1716	jztqtnhlleon.exe
2632	qjjztqtnhlle.exe
2868	jjztqtnhlleo.exe

Loads dropped DLL 16 IoCs

pid	Process
1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
1716	jztqtnhlleon.exe
1716	jztqtnhlleon.exe
1716	jztqtnhlleon.exe
1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
2632	qjjztqtnhlle.exe
2632	qjjztqtnhlle.exe
2632	qjjztqtnhlle.exe
2632	qjjztqtnhlle.exe
1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
2868	jjztqtnhlleo.exe
2868	jjztqtnhlleo.exe
2868	jjztqtnhlleo.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	qjjztqtnhlle.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\cpflhpueg\qjjztqtnhlle.dll	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\qiuqiu.cpp	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
File created	C:\Program Files\Common Files\qiuqiu.cpp	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
File created	C:\Program Files\cpflhpueg\jjztqtnhlleo.exe	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
File created	C:\Program Files\cpflhpueg\qjjztqtnhlle.exe	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
File created	C:\Program Files\cpflhpueg\jztqtnhlleon.exe	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
File created	C:\Program Files\Common Files\loveuu.bat	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
840	sc.exe
1804	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjztqtnhlleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jztqtnhlleon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjjztqtnhlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qjjztqtnhlle.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qjjztqtnhlle.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32	jjztqtnhlleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	jjztqtnhlleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}	jjztqtnhlleo.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2632	qjjztqtnhlle.exe
2632	qjjztqtnhlle.exe
2632	qjjztqtnhlle.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1716	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	30
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1716 wrote to memory of 2556	1716	jztqtnhlleon.exe	31
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2632	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	34
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 840	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	35
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 1804	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	36
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 1972 wrote to memory of 2868	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	38
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 2868 wrote to memory of 596	2868	jjztqtnhlleo.exe	40
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2900	1972	a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a518d48dc3673f41a554879a23433a4a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files\cpflhpueg\jztqtnhlleon.exe
  "C:\Program Files\cpflhpueg\jztqtnhlleon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Program Files\cpflhpueg\jztqtnhlleon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- C:\Program Files\cpflhpueg\qjjztqtnhlle.exe
  "C:\Program Files\cpflhpueg\qjjztqtnhlle.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Windows\SysWOW64\sc.exe
  sc config RasAuto start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Program Files\cpflhpueg\jjztqtnhlleo.exe
  "C:\Program Files\cpflhpueg\jjztqtnhlleo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\PROGRA~1\CPFLHP~1\JJZTQT~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\A518D4~1.EXE
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\cpflhpueg\jjztqtnhlleo.exe

Filesize
8.9MB

MD5
ebe953b6763046a7617782ecf3368559

SHA1
f0f9d7c4f7f84dcb056383eb69c2fc375c2a98dc

SHA256
aee3de22089428f422be3ac2a8b161b6721f09914a2a0935594fde0159c440e4

SHA512
ba66d4abe0998f80eefb25726808b8a00ea0b98859cdf941e57a2c81172f915923766da56503ec33ac7dc6f4b8d93ea39a91994b88ab4c600a404ec17eb9f539

Download Submit
C:\Program Files\cpflhpueg\qjjztqtnhlle.dll

Filesize
35.7MB

MD5
bbc7e8ef9346b24e1ac251d2736871f8

SHA1
fa164026a5762abbc7e7cbac6b63b3a1a56ea9dc

SHA256
bbf58c01828affac7bf8227b1736167c4d7cdda8b4ee093d00764d886f1e67de

SHA512
0d3c5058420373f8ec518cf7852b6635ba5aafd0a5eee36d42953bd909a5848a27df955c296b34174745a1addb69c16da18f8750f007bebb38bd3fa5784cab91

Download Submit
\Program Files\cpflhpueg\jztqtnhlleon.exe

Filesize
9.0MB

MD5
e175c90f07dfa921bc37207bf9e190e1

SHA1
548b9075e03f11c6c121312829f3fff8b95c03c5

SHA256
95deb74ebc18286da50ce14100ede1e63c10faa983b9034630cce01bbe33bcd4

SHA512
d4fb51634cb3247cbe1f51c20e787f02dc9bd97813627de2910aab05d0df2a68c6c8777eccbfc9aebf3cf87ff353287bf76a974dfbf416f10ed0fe6652bb087e

Download Submit
\Program Files\cpflhpueg\qjjztqtnhlle.exe

Filesize
8.9MB

MD5
1975a1e92d0b710653c3e5e5747b82bb

SHA1
6004bfd01c0658a7313249e2dcda9e8e06a2d75d

SHA256
389369eea660fee226d434858cd87ac5a74ecf3db71320f1536723c53b690fd5

SHA512
8e75eacebde6ff3b881d68411b3b3fc1e1e0bf6b087babdd45988c940c39d90696c6b8d3e1bcfdf94269c7ba592d157813ce33fe5775c52ed3c508bd4d74ee6a

Download Submit
memory/1716-30-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1716-29-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1716-23-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1972-18-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1972-8-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/1972-2-0x00000000002A0000-0x000000000032F000-memory.dmp

Filesize
572KB

Download
memory/1972-3-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1972-21-0x00000000002A0000-0x000000000032F000-memory.dmp

Filesize
572KB

Download
memory/1972-20-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/1972-19-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/1972-0-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1972-4-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1972-28-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1972-7-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x00000000002A0000-0x000000000032F000-memory.dmp

Filesize
572KB

Download
memory/1972-6-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1972-47-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1972-62-0x0000000000330000-0x0000000000334000-memory.dmp

Filesize
16KB

Download
memory/1972-63-0x0000000000330000-0x0000000000334000-memory.dmp

Filesize
16KB

Download
memory/1972-5-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1972-73-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/1972-72-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2632-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2632-49-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2632-79-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2868-69-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download
memory/2868-64-0x0000000000400000-0x00000000004030CC-memory.dmp

Filesize
12KB

Download